This notice sets out Sullivan & Cromwell’s policy on processing the personal data of job applicants or others seeking information about employment opportunities with the Firm.
In this notice, “Sullivan & Cromwell” or the “Firm” refers to Sullivan & Cromwell LLP and its affiliated partnerships from time to time. Sullivan & Cromwell LLP is a limited liability partnership registered under the laws of the State of New York.
The words “we”, “us” and “our” refer to Sullivan & Cromwell, and the words “you” and “your” refer to the job applicant or other person whose data we process.
As part of any recruitment process, we collect and process personal data relating to job applicants, including special categories of data. It is our policy to deal with your personal information responsibly and in accordance with the requirements of applicable data protection laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
What personal information we collect
- your name, alias, postal address, contact details, including email address, telephone number and a photograph, SSN, driver’s license number, passport number
- your signature, physical characteristics or description, state ID card number, bank account number
- your date of birth, gender, marital status
- details of your education background, qualifications, professional licenses and memberships, skills, experience, employment, and employment history, CV, interview notes, outcome of application
- information about your current level of remuneration, including benefit entitlements
- whether or not you have a disability for which we need to make reasonable adjustments during the recruitment process
- information about your entitlement to work in the UK
- passwords and security questions when you apply via our website
- equal opportunities monitoring information, including information relating to characteristics of protected classifications under CA or federal law, including race, color, national origin, gender, disability, age (40 and older), citizenship status, gender identity, sexual orientation, marital status, military or veteran status, and political activities or affiliations, and
- Internet or other electronic network activity information, including, but not limited to, information regarding your interaction with our website.
We collect this information as part of our recruitment and hiring processes in a variety of ways, including:
- directly from you when you apply for a role or when you submit your personal information to us via our website or an alternative application form
- from your passport or other identity documents, or through interviews or other forms of assessment
- from third parties, such as recruitment agencies acting on your behalf or references supplied by former employers, information from employment background check providers and information from criminal records checks. We will seek information from third parties only once a job offer to you has been made and will inform you that we are doing so, and
- data from partners and employees of the Firm as a result of internal referrals or other information generated as part of our recruitment processes.
How we use personal information
- to identify you and process your application
- to manage the recruitment process, assess and confirm your candidacy and decide whether or not to offer you a job
- to contact you with communications about employment opportunities with S&C
- to fulfil our legal and regulatory obligations, including reporting obligations and in connection with potential or actual legal or regulatory proceedings or investigations
- to fulfill our contractual obligations
- to communicate with you and provide information requested by you, and (where relevant) to repay approved expenses incurred as part of our recruitment processes
- to improve our website, including auditing and monitoring its use, to provide users with a customized experience, and to understand our website audience and demographics and their interests and content preferences
- to determine if we need to make reasonable accommodations for candidates who are disabled and have need for such
- to fulfil our obligations under diversity and equal opportunities regulations, and to monitor the effectiveness of our diversity efforts
- to support and evaluate our personnel
- to engage in other activities in connection with the proper operation of our legal practice. For example, in connection with its operations, S&C must share or transfer data to third parties (for example, insurance providers, pension administrators, banks, payroll and other service providers) and among its offices around the world in connection with S&C’s provision of legal services, satisfaction of its professional commitments and support and administration of its personnel
- to operate S&C’s alumni site, including personalization services, such as suggested contacts, news, events and interactive communications
- to enable users of S&C’s alumni site to search for and locate other users via the directory
- in connection with the administration of events
- to book travel, and
- to obtain business-related information through surveys conducted by us and others.
- for our legitimate business purposes, as described above
- to take steps with a view to entering into a contract of employment with you
- for the establishment, exercise or defense of legal claims or proceedings
- to comply with legal and regulatory obligations
- IT service providers, such as the external provider that manages our recruitment website
- your appointed recruitment agent (if applicable), and
- our own professional advisers and auditors.
Protecting Personal Information
We use a variety of technical and organizational measures to help protect your personal information from unauthorized access, use, disclosure, alteration or destruction consistent with applicable data protection laws. These measures are reviewed periodically by external assessors who confirm and certify our operations.
Accordingly, we hold certificate #IS 585222 and operate an Information Security Management System which complies with the requirements of ISO/IEC 27001:2013.
Keeping Personal Information
We retain personal information of different types, or relating to different categories of people, for different periods, taking into account its business purpose. For example, information about individuals who have applied for employment with us will be retained for a shorter period than information about individuals who have actually worked for us.
The periods for which we retain information are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used. We take into account legal and regulatory provisions which require information to be retained for a minimum period. We also consider the limitation periods for taking legal action and good practice in the legal industry.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment.
- access and obtain a copy of your data on request,
- require us to change incorrect or incomplete data,
- require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing,
- object to the processing of your data where we rely on legitimate interests as the legal ground for processing, and
- ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data.
Pursuant to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), California residents receive certain rights with respect to their personal information, as described below. These rights are not absolute and are subject to certain exceptions more fully set forth in the CCPA. California residents have the right not to receive discriminatory treatment from us for the exercise of the privacy rights conferred by the CCPA.
Right to know about personal information collected, disclosed, or sold
Each California resident has the right to request, subject to certain exceptions described in the CCPA, that we disclose to that resident:
- the categories of personal information we have collected about them,
- the categories of sources from which the personal information is collected,
- the business or commercial purpose for collecting or selling the personal information,
- the categories of third parties with whom we have shared the personal information, and
- the specific pieces of personal information we have collected about them (collectively, a “Request to Know”).
We do not sell your personal information as defined under the CCPA or share your personal information for cross-contextual behavioral advertising purposes and we do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age. We do not use or disclose sensitive personal information for purposes other than those permitted purposes specifically identified in the CCPA and its implementing regulations.
Right to request deletion of personal information
Each California resident has the right to request the deletion of their personal information that we collect or maintain (a “Request to Delete”), subject to certain exceptions set forth in the CCPA. To make such a Request to Delete, you can either call us at our toll free number (1-888-558-1505), or fill out our request form here.
Right to correct inaccurate personal information
Each California resident has the right to request the correction of any inaccurate personal information that we maintain (a “Request to Correct”), subject to certain exceptions set forth in the CCPA. To make such a Request to Correct, you can either call us at our toll free number (1-888-558-1505), or fill out our request form here.
Process for verifying requests of California residents
In order to protect your privacy and security, prior to completing any Request to Know, Request to Delete or Request to Correct that you may submit, we must verify your identity. We will verify your identity by asking you to provide certain data that we have already collected from you to confirm that they match our records. In certain instances, additional verification steps may be required.
California residents have the right to designate an authorized agent to make a request under the CCPA on their behalf. Prior to completing a request made by such an authorized agent, we require that you provide your authorized agent with written permission to submit such a request and require that you or your authorized agent provide us with a copy of such written permission. Additionally, we require that you verify your identity pursuant to the procedure described above.
What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.
If you have any questions on the matters covered in this policy, please contact our Data Protection Officer, Craig Jones at [email protected].
This policy was last updated on January 5, 2023.