Goldman Sachs Applicant - Fair Processing Notice
As part of our commitment to protecting your personal data and processing it in a transparent manner, this fair processing notice ("notice") provides information on the personal data collected and processed by members of Goldman Sachs Group Inc. regarding persons who register for notifications of, or who have applied for, employment or other positions with us ("applicants" "you" or "your") and third parties whose information is provided to us in connection with such positions.
Whose data do we process?
We process the personal data of applicants for roles with us, including applicants for employment, for our graduate scheme or for any other type of position with us. We may also process the personal data of third parties whose information is provided to us in connection with this relationship (e.g. emergency contact information or referees).
This notice applies to you if you are an applicant for a role or other engagement with a member(s) of Goldman Sachs Group Inc. located in the European Union (“EU”) or Switzerland. In this notice, such entity or entities are referred to as "GS", "we", "our" or "us".
This notice describes the personal data that may be collected from you and from third parties about you, the purposes for which that personal data is collected, stored and used, and our reason for doing so (also referred to as our "legal basis"). In this notice we also outline which internal GS function may use your personal data and when it may be shared with other vendors and advisors, and we summarise your rights in relation to our processing of your personal data, and how you can exercise these rights.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person.
An identifiable natural person is a living natural person (rather than a legal entity, such as a company) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If you would like to contact us regarding the processing of your personal data, please contact your local GS contact or our Data Protection Officer at firstname.lastname@example.org or at: The Office of the Data Protection Officer, Peterborough Court, 133 Fleet Street, London EC4A 2BB.
1. WHO IS RESPONSIBLE FOR YOUR PERSONAL DATA?
Goldman Sachs International and, if different, the member(s) of Goldman Sachs Group Inc. based in the EU or Switzerland that are providing you with notifications of available positions, or are considering your application for employment, internship or other engagement, will each be a data controller of your personal data. In addition, where processing of personal data is undertaken by GS affiliates for their own purposes, these affiliates may also be data controllers of your personal data.
What is a GS affiliate?
In this notice, “GS affiliate” or “our affiliate” means any entity controlled, directly or indirectly by GS, any entity that (directly or indirectly) controls GS, or any entity directly or indirectly under common control with GS.
A list of the Goldman Sachs controllers likely to be relevant to you, and, where applicable, their representatives are set out in Appendix 1.
This notice applies in conjunction with any other notices you receive from GS affiliates in connection with the processing of your personal data.
2. WHAT PERSONAL DATA DO WE PROCESS?
2.1. YOUR PERSONAL DATA
GS and GS affiliates will, depending on the role you applied for, process certain personal data relating to you and people connected to you, including:
A. Personal details: such as your name, gender, nationality, date of birth, home contact details (e.g. address, telephone number, e-mail), immigration data (including passport details and place of birth), eligibility to work data, photograph and languages spoken. If you apply for notification of our available positions, we only process data relevant to this request, such as your name, email address and any details you provide as to the type of roles in which you are interested.
This also includes data such as your title, forename, middle name(s) and surname, birth name, preferred name, any additional names, country of residence and of tax residence, second nationality, civil/marital status, age, national ID number, hobbies, languages spoken and level of proficiency, mother's maiden name, name of spouse and next-of-kin contact information (where supplied) and your log-in details for use on the applicable GS website
B. Information relating to recruitment and selection: such as details regarding the role you have applied for, your CV and application, qualifications, references, background check information, financial stability checks and reviews of professional and social media.
This also includes data such as professional and academic background (including previous role information, salary and bonus details and educational history), information relating to university courses (including studying abroad, academic transcripts, current grades/credits, degree details and technical education), information about previous knowledge and interactions with GS, photograph, skills, interview and assessment data and responses to the disclosure questionnaire (including former relationships with GS, GS employees and directors as well as relationships with other named entities).
C. Interview and assessment information: such as interview information and, if applicable, your answers to and the results of any test or assessment that you undertake with us.
This includes records of your progress through the application and selection process, records relating to interview dates, times and locations, notes and feedback from interviewers and video recordings of interviews, as appropriate.
D. Regulatory information: such as your regulated status and any regulatory references.
This also includes data such as records of your registration with any applicable regulatory authority, any relevant certificates, information regarding any issues that may affect professional propriety, compliance approval status and any conflict of interest disclosure.
E. Self-identification information: if provided, and to the extent permitted by applicable law, information relating to gender, military experience and special categories of personal data, such as ethnicity and race, disability, sexual orientation and whether you identify as transgender.
What are special categories of personal data?
Special categories of personal data are: (i) personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; (ii) any genetic data or biometric data processed for the purpose of uniquely identifying a natural person; or (iii) data concerning health or sex life or sexual orientation.
F. Details of third parties: such as the names and details of your emergency contact or referees.
This also includes data such as the third party’s name, contact details and any additional information which we process in connection with our regulatory obligations. See section 2.3 of this notice if you provide such data to us.
G. Data relating to criminal convictions and offences: such as data relating to actual and alleged criminal convictions and offences, to the extent permitted by applicable law.
What data relating to criminal convictions and offences are processed?
We process criminal convictions and offences data in the context of background checks and regulatory registrations, as set out in this notice.
2.2 HOW DO WE COLLECT YOUR PERSONAL DATA?
We mainly collect your personal data directly from you.
You will usually provide this information directly to us, or enter it into our system. You may do this through a CV and cover letter or through our recruitment portal online.
In addition, further information about you will be generated by internal sources. This could include assessment results and interview feedback. This will include from materials created by the relevant recruiter, HCM, interviewers and the hiring manager. You may also be referred to us by an existing GS employee.
In some cases we may obtain your personal data from GS affiliates or from third parties. This could include where your application is made through a recruitment agency or through a GS contact. We may receive information from other consultants and some information may be gathered from publicly available sources.
In some circumstances, data may be collected indirectly from monitoring devices or by other means (for example, building monitoring systems, closed circuit television, telephone logs and recordings and email and Internet access logs), if and to the extent permitted by applicable laws.
2.3 DATA RELATING TO THIRD PARTIES
In certain circumstances we may process personal data of third parties, such as an emergency contact or referees. The personal data regarding third parties that you provide to us will be processed for the purposes of your application and to contact your next-of-kin in an emergency. Additional information relating to our processing of their personal data is available online here: www.gs.com/privacy-notices. Before you provide data relating to third parties to us, you should ensure you are permitted to do so and make them aware of the information contained in this notice.
3. THE PURPOSES AND REASONS FOR PROCESSING YOUR PERSONAL DATA
3.1 PURPOSES FOR PROCESSING
Your personal data are collected and processed for various business purposes, in accordance with applicable laws and any applicable collective bargaining agreements. Data may occasionally be used for purposes not anticipated by you where the circumstances warrant such use.
GS and GS affiliates always process your personal data for a specific purpose and process only the personal data relevant for achieving that purpose. In particular, we process your personal data for the following purposes and for compatible purposes:
A. Applicant/candidate attraction, assessment and selection: including all activities in connection with staff recruitment (including vetting and background checks).
This includes recruitment activities (such as reviewing and considering your application, contacting you regarding it, interviewing you, assessing you against other applicants, undertaking testing and making an offer of employment or engagement, as appropriate).
If and to the extent permitted by applicable laws, this also includes appropriate vetting for recruitment including, where relevant and appropriate credit checks, right to work verification, identity fraud checks, criminal record checks, relevant employment history, relevant regulatory status and professional qualifications.
B. Promoting diversity and preventing discrimination: including those activities that we take as an Equal Opportunities employer.
This includes managing monitoring programmes to ensure equality of opportunity and diversity with regard to personal characteristics protected under applicable anti-discrimination laws and to monitor progress towards achieving more diverse representation.
C. Meeting our regulatory and compliance obligations and preventing crime: this includes carrying out regulatory compliance checks, making disclosures to, and complying with requests from public authorities, regulators (whether inside or outside of the EEA) or governmental bodies across our global group, and investigating conduct and preventing fraud and other crime.
- activities to enforce our legal rights and obligations, and for any purposes in connection with any legal claims made by, against or otherwise involving you;
- actions we take to comply with lawful requests by public authorities (including without limitation to meet national security or law enforcement requirements), disclosure requests, or where otherwise required or permitted by applicable laws, court orders, government regulations, or regulatory authorities (including without limitation data protection, tax and employment), in all cases whether within or outside your country of residence; and
- processing activities to satisfy our regulatory obligations to supervise the persons employed or appointed by us to conduct business on our behalf, including preventing, detecting and investigating a wide range of activities and behaviours, whether relating to specific business dealings or to the workplace generally and liaising with regulatory authorities.
We may also process data for other purposes, which we will notify to you from time to time.
Additional information regarding specific processing of personal data may be notified to you locally or as set out in applicable policies.
3.2 OUR REASONS (LEGAL BASES) FOR PROCESSING
The personal data processing described in this notice may be:
A. necessary in order to enter into contracts with you relating to your employment or engagement with us;
This applies to paragraph A of section 3.1 above.
B. necessary in order to comply with our legal obligations under the laws of the EU and its Member States;
This applies to paragraphs A to C of section 3.1 above.
C. necessary for the legitimate interest of GS or others (as described below), where these are not overridden by your interests or fundamental rights and freedoms; or
This applies to paragraphs A to C of section 3.1 above.
D. in limited circumstances and to the extent the legal bases for processing set out above do not apply, processed with your consent (which we obtain from you from time to time).
The ‘legitimate interests’ referred to in section 3.2 C above are:
- the processing purposes described in A to C of section 3.1 of this notice to the extent the processing is not necessary in order to (i) enter into contracts with you and meet our obligations under such contracts, or (ii) comply with our legal obligations under the laws of the EU and its Member States;
- working with the firm’s regulators to meet their requirements, and complying with our regulatory obligations globally; and
- exercising our fundamental rights and freedoms, including our freedom to conduct a business and right to property.
Special categories of personal data
In addition, where applicable data protection laws require us to process special categories of personal data on the basis of a specific lawful justification, we process the same under one of the following additional legal bases:
A. the processing is necessary for the purposes of carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
This applies to certain processing activities described under section 3.1 A and B above. This may include the following, although this is not an exhaustive list:
- health and medical information may be used to comply with employment, health and safety or social security laws; for example to avoid breaching legal duties to you and avoid unlawful discrimination or dealing with complaints arising in this regard;
- information regarding your racial or ethnic origin, religion, philosophical or political belief, sexual life and sexual orientation may be used in the event of a complaint where such characteristics or information are provided and/or relevant to the particular complaint, in order to comply with employment law obligations.
B. the processing is necessary for the establishment, exercise or defence of legal rights and claims;
This applies to processing for the purposes of establishing, exercising and defending legal claims, as described in section 3.1 C of this notice, to the extent this involves processing any special categories of personal data.
C. the processing is necessary for reasons of substantial public interest;
D. the processing relates to personal data that you have made public; or
E. solely to the extent that the processing is not otherwise justified under one of the above justifications, your explicit consent to the processing (which we obtain from you from time to time).
Data relating to criminal convictions and offences
We process personal data relating to criminal convictions and offences as authorised by applicable law. For example, we process criminal record information as part of the pre-employment vetting procedures (see section 3.1 A above), where required or authorised by applicable law.
4. MANDATORY DATA
Where we ask you to provide personal data to us on a mandatory basis, we will inform you of this at the time of collection. We will also inform you if particular information is required by the contract or statute. Failure to provide any mandatory information will mean that we cannot carry out certain processes. For example, if you do not provide us with your contact information, educational history or right to work information, we will not be able to consider you properly for the role that you have applied for. In some cases it may mean that we are unable to employ or engage you as GS will not have the personal data we believe to be necessary to make the relevant decisions or for the effective and efficient administration and management of an ongoing relationship with you.
5. YOUR CONSENT
We may seek your consent to certain processing which is not otherwise justified on one of the bases set out in section 3.2 of this notice. If consent is required for the processing in question, it will be sought from you separately to ensure that it is freely given, informed and explicit. Information regarding such processing will be provided to you at the time that consent is requested, along with the impact of not providing any such consent. You should be aware that it is not a condition or requirement to agree to any request for consent from GS.
To the extent GS is relying on your consent to process your personal data, you have the right to withdraw your consent to such processing at any time. You can do this by contacting your GS contact or our data protection team at email@example.com.
Please note that any processing of your personal data prior to your withdrawal of consent will remain unaffected by any such withdrawal. Please note also that this notice does not apply to consents you provide for any other reason, such as in connection with vetting procedures.
6. SHARING PERSONAL DATA
Within GS, your personal data can be accessed by or may be disclosed internally on a need-to-know basis to:
- local, regional and global HCM, including managers and team members;
- local, regional and executive management responsible for managing or making decisions in connection with the relevant recruitment exercise (including, without limitation, staff from the division and geography that you have applied to), Compliance, Legal, Operations, the Office of Global Security and Information Security;
- local and regional support services (such as travel bookings and other support services) and personal assistants;
- system administrators; and
- where necessary for the performance of specific tasks or system maintenance by staff in GS teams such as the Finance and IT Department and the Global HCM information systems support team.
Your personal data may also be accessed by third parties with whom we work and who provide us with services, such as hosting, supporting and maintaining the framework of our HCM information systems.
Personal data may also be shared with certain interconnecting systems. Data contained in such systems may be accessible by providers of those systems, their affiliates and sub-contractors.
Due to the size and complexity of GS’s operations it is not possible to name each of our data recipients in this notice. Examples of third parties with whom your data may be shared include GS's clients (and client staff, where appropriate), suppliers (and supplier staff), tax authorities, regulatory authorities, GS's insurers, bankers, IT administrators, lawyers, auditors, investors, consultants and other professional advisors, payroll providers, and administrators of GS's benefits programs. GS requires such third parties to process any data disclosed to them in accordance with applicable law, including with respect to data confidentiality and security.
Where these third parties act as a "data processor" they carry out their tasks on our behalf and upon our instructions for the above mentioned purposes. In this case your personal data will only be disclosed to these parties to the extent necessary to provide the required services.
In addition, we may share personal data with national authorities or regulators in order to comply with a legal obligation or regulatory requirement to which we are subject.
7. SECURITY OF DATA
GS uses a variety of technical and organisational methods to secure your personal data in accordance with applicable laws.
GS is committed to protecting the security of the personal data you share with us. In support of this commitment, we have implemented appropriate technical, physical and organisational measures to ensure a level of security appropriate to the risk.
We require our vendors and suppliers to keep the personal data that we provide to them secure, both in transit and once received by them. This includes encryption, where appropriate.
8. INTERNATIONAL TRANSFER
GS will ensure that appropriate safeguards are in place to protect your personal data and that transfer of your personal data is in compliance with applicable data protection laws. Where required by applicable data protection laws, GS has ensured that service providers (including other GS affiliates) sign standard contractual clauses as approved by the European Commission or other supervisory authority with jurisdiction over the relevant data exporter. You can obtain a copy of any standard contractual clauses in place which relate to transfers of your personal data by contacting firstname.lastname@example.org.
The data sharing listed in this notice may involve the transfer of personal data to any country in which GS or a GS affiliate conducts business or has a service provider or to other countries for law enforcement purposes (including, without limitation, the United States of America and other countries whose data privacy laws are not as stringent as those in effect in the United Kingdom, Switzerland or the European Union).
9. DATA SUBJECT RIGHTS
You may be entitled under the applicable data protection laws to the following rights in respect of your personal data:
A. Information and access: You have the right to be provided with certain information about GS's processing of your personal data and access to that data (subject to exceptions).
B. Rectification: If your personal data changes, we encourage you to inform us of the change. You have the right to require inaccurate or incomplete personal data to be updated or corrected.
C. Erasure: You have the right to require that your data be erased in certain circumstances, including where it is no longer necessary for us to process this data in relation to the purposes for which we collected or processed the data, or if we processed this data on the basis of your consent and you have since withdrawn this consent.
D. Data portability: Where we process your personal data on the basis of your consent, or where such processing is necessary for entering into or performing our obligations under a contract with you, you may have the right to have the data transferred to you or another controller in a structured, commonly used and machine-readable format, where this is technically feasible.
E. Right to object to certain data processing: To the extent that GS is relying upon the legal basis of legitimate interest to process your personal data, then you have the right to object to such processing, and GS must stop such processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where GS needs to process the data for the establishment and exercise of legal rights or defence of legal claims. Where GS relies upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
F. Right to restriction of processing: You have the right to restrict GS's processing of your personal data while your request for data rectification or objection to personal data processing is being considered, if we no longer need to process your data but you need that data in connection with a legal claim, or if our processing is unlawful but you do not want us to erase the data. If this right applies, we will continue to store your data but will only further process it with your consent, for the establishment and exercise of legal rights or defence of legal claims, to protect the rights of another person, or for reasons of important public interest.
G. Right to withdraw consent: To the extent that GS is relying upon your consent to process personal data, you have the right to withdraw such consent at any time. Please see section 5 of this notice.
H. Complaint: You also have the right to lodge a complaint with a supervisory authority, in particular that in your Member State of residence, where applicable.
If you wish to exercise any of these rights you may do so by sending an email to email@example.com or a written request to GS, clearly marked "Individual Rights" and sent to the following address:
Office of the Data Protection Officer,
Goldman Sachs International,
133 Fleet Street,
We may provide additional ways for you to exercise your rights from time to time.
10. RETENTION OF PERSONAL DATA
GS and GS affiliates retain personal data for varying time periods in order to assist us in complying with legal and regulatory obligations, to enable compliance with any requests made by regulators or other relevant authorities and agencies, to enable us to establish, exercise and defend legal rights and claims, and for other legitimate business reasons.
GS and GS affiliates retain your personal data for the period of time required for the purposes for which it was collected, any compatible purposes which we subsequently establish, any new purposes to which you subsequently consent, or to comply with legal, regulatory and GS policy requirements.
11. UPDATES TO THIS NOTICE
The information in this notice may change from time to time – for example, the categories of personal data that GS collects, the purposes for which it is used and the ways in which it is shared may change. This notice may be updated from time to time.
APPENDIX 1: GS CONTROLLER ENTITIES
GOLDMAN SACHS INTERNATIONAL
GOLDMAN SACHS INTERNATIONAL BANK
GOLDMAN SACHS (UK) SVC. LIMITED
GOLDMAN SACHS (RUSSIA)
GOLDMAN SACHS BANK EUROPE SE
GOLDMAN SACHS PARIS INC. ET CIE
GOLDMAN SACHS EUROPE SE
GOLDMAN SACHS REALTY MANAGEMENT GMBH
GOLDMAN SACHS POLAND SERVICES SPOLKA Z OGRANICZONA ODPOWIEDZIALNOSCIA
GOLDMAN SACHS BANK AG*
GOLDMAN SACHS & CO. LLC*