Pre-Hire Recruitment Privacy Policy

This notice sets out Sullivan & Cromwell’s policy on processing the personal data of job applicants or others seeking information about employment opportunities with the Firm.

In this notice, “Sullivan & Cromwell” or the “Firm” refers to Sullivan & Cromwell LLP and its affiliated partnerships from time to time.  Sullivan & Cromwell LLP is a limited liability partnership registered under the laws of the State of New York. 

The words “we”, “us” and “our” refer to Sullivan & Cromwell, and the words “you” and “your” refer to the job applicant or other person whose data we process.

As part of any recruitment process, we collect and process personal data relating to job applicants, including special categories of data. It is our policy to deal with your personal information responsibly and in accordance with the requirements of applicable data protection laws, including the European Union’s General Data Protection Regulation (GDPR).

What personal information we collect

We collect a range of information about you as part of your job application and recruitment process. This may include:
  • your name, address, contact details, including email address, telephone number and a photograph
  • your date of birth, gender, marital status
  • details of your education background, qualifications, professional licenses and memberships, skills, experience and employment history, CV, interview notes, outcome of application
  • information about your current level of remuneration, including benefit entitlements
  • whether or not you have a disability for which we need to make reasonable adjustments during the recruitment process
  • information about your entitlement to work in the UK
  • passwords and security questions when you apply via our website, and
  • equal opportunities monitoring information, including information relating to ethnicity, sexuality and disabilities
How we collect personal information

We collect this information as part of our recruitment and hiring processes in a variety of ways, including:
  • directly from you when you apply for a role or when you submit your personal information to us via our website or an alternative application form
  • from your passport or other identity documents, orthrough interviews or other forms of assessment
  • from third parties, such as recruitment agencies acting on your behalf or references supplied by former employers, information from employment background check providers and information from criminal records checks. We will seek information from third parties only once a job offer to you has been made and will inform you that we are doing so, and
  • data from partners and employees of the Firm as a result of internal referrals or other information generated as part of our recruitment processes.
Data will be stored in a range of different places, including on your application record, in HR management systems and on other of our IT systems (including email).

How we use personal information

We use the information we collect in a number of ways including:
  • to identify you and process your application
  • to manage the recruitment process, assess and confirm your suitability for employment and decide whether or not to offer you a job
  • to fulfil our legal and regulatory obligations, including establishing, exercising or defending legal claims
  • to communicate with you and provide information requested by you, and (where relevant) to repay approved expenses incurred as part of our recruitment processes
  • to improve our website, including auditing and monitoring its use
  • to determine if we need to make reasonable adjustments to the recruitment process for candidates who have a disability,
  • to fulfil our obligations under diversity and equal opportunities regulations, and to monitor the effectiveness of our diversity efforts
The grounds on which we process personal information

We process personal information on one or more of the following grounds:
  • for our legitimate business purposes, as described above
  • to take steps with a view to entering in to a contract of employment with you
  • for the establishment, exercise or defense of legal claims or proceedings
  • to comply with legal and regulatory obligations
Sharing personal information

The Firm has offices around the world (https://www.sullcrom.com/offices).

Your information will be shared with individuals involved in the Firm’s worldwide recruitment efforts. This includes members of the HR and recruitment team, interviewers involved in the recruitment process and partners/managers in the business area(s)  relevant to your application. This may result in your information being transferred to one or more of our offices worldwide

We may also share your personal information with trusted third parties in accordance with contractual arrangements in place with them, including:
  • IT service providers, such as the external provider that manages our recruitment website
  • your appointed recruitment agent (if applicable), and
  • our own professional advisers and auditors.
If your application for employment is successful and we make you an offer of employment, we will then share your data with our employment background check providers to obtain necessary background checks (which will include contacting your former employers to obtain references for you)  and the Disclosure and Barring Service to obtain necessary criminal records checks.

In some circumstances, we may also pass information to regulatory authorities, courts, tribunals, government agencies and law enforcement agencies.  We may be required to disclose your information to comply with legal or regulatory requirements. Where possible, we will use reasonable efforts to notify you before disclosing your information, but we may be legally restricted from doing so.

This may involve a transfer of your information from a location within the European Economic Area (the “EEA”) to outside the EEA, or from outside the EEA to a location within the EEA.  The level of information protection in countries outside the EEA may be less than that offered within the EEA. We will implement appropriate measures to ensure that your personal information nevertheless remains protected and secure in accordance with applicable data protection laws.  EU standard contractual clauses are in place between all Sullivan & Cromwell entities that share and process personal data.

Protecting Personal Information

We use a variety of technical and organizational measures to help protect your personal information from unauthorized access, use, disclosure, alteration or destruction consistent with applicable data protection laws.  These measures are reviewed periodically by external assessors who confirm and certify our operations. Accordingly, we hold certificate #IS 585222 and operate an Information Security Management System which complies with the requirements of ISO/IEC 27001:2013. 

Keeping Personal Information

Your personal information will be retained in accordance with our Data Privacy Policy.

We retain personal information of different types, or relating to different categories of people, for different periods, taking into account its business purpose. For example, information about individuals who have applied for employment with us will be retained for a shorter period than information about individuals who have actually worked for us. 

The periods for which we retain information are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used.  We take into account legal and regulatory provisions which require information to be retained for a minimum period.  We also consider the limitation periods for taking legal action and good practice in the legal industry.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. 

Your rights

As a data subject, you have a number of rights. You can:
  • access and obtain a copy of your data on request,
  • require us to change incorrect or incomplete data,
  • require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing,
  • object to the processing of your data where we rely on legitimate interests as the legal ground for processing, and
  • ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override our legitimate grounds for processing data.
What if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

Contacting us

If you have any questions on the matters covered in this policy, please contact our Data Protection Officer, Craig Jones at [email protected].