Sytner Group Candidate Privacy Notice

1  About this notice

1.1  This notice was last updated on the 23rd May 2018.

1.2  This privacy notice (“notice”) describes what types of personal data Sytner Group Limited and companies within the Sytner Group (referred to throughout this notice as “Sytner Group”, “we”, “us” or “our”) collect from you, when, how and why it is collected, used and disclosed and how it is kept secure when you use our website https://careers.sytner.co.uk/.

1.3  Full details of Sytner Group Limited and companies within the Sytner Group are set out at the end of this notice in Section 15 (Which Sytner Group Companies are covered by this notice?)

1.4  It is important that you read this notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This notice supplements the other notices and is not intended to override them.

1.5  This website and our services are not intended for children and we do not knowingly collect personal data relating to children. If you are under 16 please do not provide us with any of your personal data unless you have the permission of your parent or guardian to do so.


2   Changes to this notice

2.1  The contents of this notice may change from time to time. We will post any updates to this notice on our website https://careers.sytner.co.uk/privacy-policy. You may wish to check this page to ensure you are still happy to share your personal data with us. Where we make material changes to this notice, we will also contact you directly to notify you of these changes.


3   Who is the controller for my personal data?

3.1  A ‘controller’ is a person or organisation who decides why and how your personal data is collected, used and shared. They are responsible for ensuring that the processing complies with data protection legislation.

3.2  This notice covers the Sytner Group Limited known as the ‘controller’ and subsidiary companies within the Sytner Group see Section 15 (Which Sytner Group Companies are covered by this notice?). When we say 'we' or 'us', or refer to “Sytner Group” in this notice, we are referring to Sytner Group Limited and its group of companies.


4   What personal data do we collect about you?

4.1  Personal data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). As part of the recruitment process, we collect and process personal data relating to job applicants. We collect a range of information about you. This includes:

4.1.1  your name, address and contact details, including email address and telephone number;

4.1.2  details of your qualifications, skills, experience and employment history;

4.1.3  information about your current level of remuneration, including benefit entitlements;

4.1.4  whether or not you have a disability for which the Sytner Group needs to make reasonable adjustments during the recruitment process;

4.1.5  information about your entitlement to work in the UK; and equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health, and religion or belief;

4.1.6  any other personal data you have provided within your CV or covering letter as part of your application;

4.1.7  We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.


5   Where do we get your personal data from?

5.1  We collect personal data when you provide this to us directly in the scenarios listed below:

5.1.1  when you submit a job application via this website, through one of our dealerships or via our social media platforms;

5.1.2  when you respond to a Sytner Group job advertisement;

5.1.3  contained in application forms, CVs or resumes you send to us directly or indirectly through recruitment agencies or consultants you have engaged with, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment

5.1.4  Sytner Group may also collect personal data about you from third parties, such as references supplied by former employers, information from employment background check providers and information from criminal records checks. The Sytner Group will seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.

5.1.4  Data will be stored in a range of different places, including on your application record, in Sytner Group’s HR management systems and on other IT systems (including email).


6   What is the legal basis for processing your personal data?

6.1  We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

6.1.1  Contractual performance – where we need to process your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

6.1.2  Legal or regulatory obligation – when we have to process your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

6.1.3  Legitimate interest – when it is in our legitimate interest (or that of a third party) and those interests do not override your rights and freedoms, for example when it is in the interest of our business to receive applications from an external recruitment agency or to provide manufacturer apprentice programmes. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us using the contact details set out in Section 16 (How to contact us).

6.1.4  Vital interests – where it is necessary to process your personal data to protect your vital interests or another person.

6.1.5  Consent – generally we do not rely on consent as a legal basis for processing your personal data.


7   Why we process your personal data

7.1  The Sytner Group needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.

7.2  In some cases, Sytner Group needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts.

7.3  The Sytner Group has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows Sytner Group to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job.

7.4  Sytner Group may also need to process data from job applicants to respond to and defend against legal claims.

7.5  Where Sytner Group relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not.

7.6  Sytner Group processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment.

7.7  Where Sytner Group processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.

7.8  For some roles, Sytner Group is obliged to seek information about criminal convictions and offences. Where the Sytner Group seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.

7.9  Sytner Group will not use your data for any purpose other than the recruitment exercise for which you have applied.

7.10  If your application is unsuccessful, the Sytner Group will keep your personal data on file in case there are future employment opportunities for which you may be suited.


8   What rights do you have under data protection legislation?

8.1  Under certain circumstances, you have rights under data protection laws. These are set out below:

8.1.1   The right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

8.1.2   The right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

8.1.3   The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

8.1.4   The right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which over ride your rights and freedoms.

8.1.5   The right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

8.1.6   The right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

8.1.7   The right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

8.2  If you wish to exercise any of the rights set out above, please contact us using the details set out in Section 16 (How to contact us).

8.3  You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

8.4  We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

8.5  We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.


9   Who has access to your personal data?

9.1  Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

9.2  Sytner Group will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. The Sytner Group will then share your data with former employers or parties named by you to obtain references for you, employment background check providers to obtain necessary background checks, to complete driving licence checks through the DVLA and to obtain necessary criminal records checks.


10   Transfers outside the UK

10.1  We may need to transfer your personal data outside the UK to other service providers, agents, subcontractors and regulatory authorities in countries where data protection laws may not provide the same level of protection as those in the European Economic Area (EEA).

10.2  We will only transfer your personal information outside the EEA where either:

10.2.1  the transfer is to a country which the EU Commission has decided ensures an adequate level of protection for your personal information or;

10.2.2  we have put in place our own measures to ensure adequate security as required by data protection law.

10.3  These measures include ensuring that your personal information is kept safe by carrying out strict security checks on our overseas partners and suppliers, backed by strong contractual undertakings approved by the relevant regulators, such as the EU style model clauses. Some US providers may also be certified under the EU-US Privacy Shield which confirms they have appropriate measures in place to ensure the protection of your data.


11   How do we keep your personal information secure?

11.1  Sytner Group takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

11.2  We use a variety of security measures, including encryption and authentication tools, to help protect and maintain security, integrity and availability of your personal data.

11.3  Although data transmission over the Internet or website cannot be guaranteed to be secure, we and our business partners work hard to maintain physical, electronic and procedural safeguards to protect your personal data in accordance with applicable data protection requirements. Our main security measures are:

11.3.1  restricted personal access to your data on a 'need to know' basis and for the communicated purpose only;

11.3.2  highly confidential data stored in encrypted form;

11.3.3  firewalled IT systems to prohibit unauthorised access e.g. from hackers; and

11.3.4  permanently monitored access to IT systems to detect and stop misuse of personal data.


12   How long do we keep your personal data?

12.1  We retain your personal data only as long as is necessary for the purpose for which we obtained them and any other permitted linked purposes. If personal data is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires. Our retention periods are based on business needs and your personal data that is no longer needed is either irreversibly anonymised or destroyed securely.

12.2  If your application for employment is unsuccessful, Sytner Group will hold your data on file for 12 months after the end of the relevant recruitment process, unless you have asked us to keep you on our records for future opportunities, in which case, with your agreement, Sytner Group will hold your data on file for a further 12 months for consideration for future employment opportunities. At the end of that period your data is deleted or destroyed.

12.3  If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held is detailed in the Sytner Group data retention policy.


13   Third-Party Links contained on our website

13.1  Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices and statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.


14   Cookies and how we use these to process your personal data?

14.1  A 'cookie' is a piece of information that a website transfers to the cookie file of the browser on your computer's hard disk, so that the website can remember who you are. A cookie will typically contain the name of the domain from which the cookie has come, the 'lifetime' of the cookie, and a value, usually a randomly generated unique number. You can accept or decline cookies by modifying the settings in your browser. However, you may not be able to use all the interactive features of our websites if cookies are disabled. You can restrict the type of cookies being placed on your hard drive when browsing our website by clicking on the button ‘change cookie settings’ at the bottom of the web page.


15   Which Sytner Group companies are covered by this notice?

Sytner Group Limited is registered in England & Wales under Company number: 2883766 and headquartered in Leicester. The Sytner Group is wholly owned by Penske Automotive Group based in the United States of America and listed on the NYSE as a part owned division of the Penske Corporation.

Sytner Group Limited is authorised and regulated by the Financial Conduct Authority (FCA) for insurance and mediation activities under FRN 310540.

The following Sytner Group companies are covered by this notice. All of these companies have their registered office address at 2 Penman Way, Grove Park, Leicester, LE19 1ST:

15.1  Companies trading within the Sytner Group

15.1.1  Sytner Group Limited No: 813696

15.1.2  Marenello Holdings No: 2001186

15.1.3  Maranello Concessionaires Limited No: 655104

15.1.4  Cruickshank Motors Limited No: 1837492

15.1.5  R Stratton & Co Limited No: 2696872

15.1.6  Sytner Group Cars Limited No: 2832086

15.1.7  Edmond & Milburn Limited: No: 3008457

15.1.8  Graypaul Motors Limited No: 3079284

15.1.9  Goodman Retail Limited (formerly Goodman Leeds Limited) No: 3097514

15.1.10  Guy Salmon Limited No: 3574418

15.1.11  Goodman TPS Limited No: 6821483

15.1.12  Sytner Group Vehicles Limited No: 7089922

15.1.13  Car Shops Limited No: 5331512

15.1.14  Leslie H. Trainer and Son Limited No: 1140490

15.1.15  Car People Limited No: 3743283

15.1.16  Sytner Group Properties Limited No: 3611990

15.1.17  Ryland Group Limited No: 4813103

15.1.18  Trainer (Holdings) Limited No: 8745259


16   How to contact us

16.1  We have appointed a data protection officer who is responsible for overseeing data protection for the Sytner Group. If you have any questions about this notice, your rights under data protection legislation as set out in Section 8 (What rights you I have under data protection legislation?) or the processing of your personal data generally you can contact us free of charge at any time by using the details below:

16.1.1  By sending an email to our Data Privacy & Compliance Team data.team@sytner.co.uk

16.1.2  By writing to us at Data Privacy & Compliance Team, Sytner Group, 2 Penman Way, Grove Park, Leicester, LE19 1ST

16.1.3  By calling us on 0116 282 1000

16.2  If you are dissatisfied with our use of your personal data or our response to any exercise of these rights you have the right to complain to your data protection authority, this in the UK is the Information Commissioner's Office (ICO) www.ico.org.uk.

16.3  All companies within the Sytner Group are registered with the ICO as data controllers. You can see a list of all Sytner Group trading companies under Section 15 (Which Sytner Group companies are covered by this notice?’)


17   What if you do not provide personal data?

17.1  You are under no statutory or contractual obligation to provide data to Sytner Group during the recruitment process. However, if you do not provide the information, the Sytner Group may not be able to process your application properly or at all.

17.2  You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.