Privacy Policy | Hudson Group

PRIVACY POLICY

Responsible Department: Human Resources	Date Established: 18/05/18
Responsible Executive: HR Director	Date Last Revised: 23/11/2023

TABLE OF CONTENTS

1. INTRODUCTION

2. SCOPE

3. DEFINITIONS

4. CONTROLLER AND PROCESSORS

5. PERSONAL DATA COLLECTED

6. PURPOSES AND LAWFUL BASIS FOR COLLECTING PERSONAL DATA

7. RECIPIENTS OF PERSONAL DATA

8. DATA STORAGE AND RETENTION

9. DATA SUBJECT RIGHTS

10. DATA SECURITY

11. ENFORCEMENT

1. INTRODUCTION

This document sets forth the Privacy Policy (“the Policy”) governing the use of a Candidate’s Personal Data (as defined below) by the Hudson Group, composed of Hudson Holdings LTD and its subsidiaries.

We have tried to keep this policy as simple and plain as possible. However, if any part is unclear to you, contact us at privacy@hudson.com.mt and we will respond to your query in due time and clarify any doubt you may have.

2. SCOPE

This Policy applies to Personal Data (as defined herein) processed by Hudson in relation to your application for employment with Hudson.

You wish to apply for a job with the Company and you will therefore disclose certain personal data in your Employment Application and Curriculum Vitae. The Company will process this personal data to assess your suitability for the position you applied for. Therefore, the processing is necessary, at your request, with a view to potentially entering into a contract of employment with you.

We will assess all applications received and shortlist a few. If your application is shortlisted we will move on to the next stage of the recruitment process and call you in for one or more interviews. We will therefore further process your personal data to contact you and coordinate the interview/s. If you are chosen from among the candidates interviewed you will be contacted with a job offer. Even if you are not shortlisted or shortlisted but not chosen for the job, we may still retain your Recruitment Record for a further period in line with the Data Storage and Retention Section below as this may be necessary in our legitimate interests to contact you should the job or any other job become available again during this period.

Note that the Company’s premises are monitored by CCTV and access control systems to safeguard our legitimate interest to ensure the security of our premises. Recordings from such systems may be used as evidence in cases of misconduct. Therefore, if you are called in for an interview we will collect and process your personal data through CCTV footage while you are onsite.

Hudson undertakes to abide by the following principles when Processing Employee’s Personal Data:

Lawfulness: Personal Data is obtained and processed by lawful means and within the terms of the Applicable Law (as defined herein);
Fairness: the processing of Personal Data will reflect what stated in this Policy;
Transparency: The employee concerned is informed about what categories of Personal Data are processed, for what purposes, by whom, for how long they are retained, and about their rights in relation to data protection.
Purpose Limitation: Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes;
Data minimisation: Personal Data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
Accuracy: Personal Data is accurate, complete and, where necessary, kept up to date;
Storage limitation: Personal Data is kept in a form which permits identification of Data Subjects (as defined herein) for no longer than is necessary for its declared purpose(s);
Integrity and Confidentiality: Personal Data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical measures;

3. DEFINITIONS

*“Applicable Law”*	Shall mean the relevant data protection and privacy law, including GDPR (as defined herein) to which the Controller (and the Processors) are subject, and any guidance or statutory codes of practice issued by the relevant Privacy Authority/ies;
*“Controller”*	Shall, for the purposes of this Policy means the entity identified in Section 4 below which entity determines the purposes and means of the processing of Personal Data;
*“GDPR”*	Shall mean General Data Protection Regulation, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
*“Data Subject”*	Shall mean a natural person resident in the European Economic Area who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. For purposes of this Policy, Data Subject shall be restricted to any current and former Hudson employees (as defined herein);
*“Candidate”* or “You”	Shall mean any individual applying for employment with Hudson at all levels and grades;
*“ Prospective Employer”*	Shall mean either of (i) Hudson Holdings Limited (C37866), company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: privacy@hudson.com.mt or +356 2147 2790; or (ii) Hudson Malta Sales Limited (C32438), a company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: privacy@hudson.com.mt or +356 2147 2790 or (iii) BD International Group Limited (C61540) a company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: privacy@hudson.com.mt or +356 2147 2790.
*“Employment agreement”*	Shall mean the agreement that the Candidate and the Prospective Employer may enter into establishing the terms of the employment relationship;
*“Hudson Group”*	Shall mean Hudson Holdings LTD and all the subsidiaries forming part of the Group.
*“Personal Data”*	Shall mean any information relating to an identified or identifiable natural person as defined by the Applicable Privacy Law and including the categories of data listed in this Policy that the Controller (and the Processors) process;
*“Processing”* or “Processed”	Shall mean any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data as defined in the Applicable Privacy Law;
*“Processor”*	Shall mean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
*“Recruitment Record”*	Shall mean the employment application, the curriculum vitae, references, educational qualifications and certificates, interview notes and any other document or information requested from You as part of the recruitment process.
*“Sensitive Personal Data”*	Shall mean Personal Data that reveals a natural person’s race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, any information that concerns a natural person’s sex life or health, or information relating to the commission of a criminal offense.

4. CONTROLLER AND PROCESSORS

The Controller is your Prospective Employer (as defined above) as identified in the vacancy advert issued by Hudson and/or as disclosed to you by the recruitment agency through which you are submitting your application for employment.

4.2 The Processors are:

(i) Talentlyft in order to keep track of your application and to engage with you throughout the process.

The relationships between the Controller and the Processors have been formalized concluding Data Processing Agreements based on Art. 28.3 GDPR.

5. PERSONAL DATA COLLECTED

5.1 Hudson may process the following items of Personal Data, which may be obtained directly from you or indirectly through the recruitment agency through which you have submitted your application (the “Candidate’s Data”):

Name and surname;
Address;
Identity card number;
Civil status;
Date of Birth;
Place of Birth;
Contact Details;
Character references; and
Qualifications and Training;

5.2 The following categories of sensitive personal data are collected:

(i) Police conduct certificate;

6. PURPOSES AND LAWFUL BASIS FOR COLLECTING PERSONAL DATA

Personal data is only collected for specific, explicitly stated and legitimate purposes and is processed according to the lawful basis identified below.

Contract: “Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior entering into a contract”
For the purposes of this Policy, Contract refers to the employment contract.
Compliance with a legal obligation: “Processing is necessary for compliance with a legal obligation to which the controller is subject”.
Legitimate Interest: “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
Art. 9.2 (b): “Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”

Categories of personal data	Purpose(s)	Legal basis
Employment application, CV; Education Qualifications and Certificates;	Recruitment, selection and shortlisting of candidates for previously published vacancies and any other vacant role that may be available at Hudson.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
References	Verification of information provided in the employment application by job applicant.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Name and Last Name	Identify the Candidate for the purpose of the recruitment process Maintain Recruitment records;	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Date of Birth	Verify the Candidate’s age, and, consequently, their legal capacity to enter into the Employment agreement; Maintain Recruitment Records	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Gender	To ensure that the Candidate is addressed correctly throughout the recruitment process.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Home address	Address communications to the Candidate; Maintain Recruitment Records.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
ID Card/Passport copy	Maintain Candidate records; Verify Candidate’s entitlement to work in Malta; Verify Candidate’s identity and age.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Personal email address	Communicate with the the Candidate;	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Personal landline number	Communicate with the Candidate.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Personal mobile number	Communicate with the Candidate.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
CCTV	To ensure the safety and security of Hudson staff, visitors and customers, to investigate incidents and alleged misconduct as further detailed in the Hudson CCTV Privacy Policy	Legitimate interest
Categories of sensitive personal data	Purpose(s)	Legal basis
Police conduct certificate	Verification of a clean police conduct	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract

7. RECIPIENTS OF PERSONAL DATA

7.1 Candidate’s Data may be shared between the undertakings forming part of the Hudson Group, as foreseen by GDPR.

7.2 Candidate’s Data may be shared between the Controller and the Processors.

7.4 Candidate Data may be disclosed to employees other than those serving in the HR department of Hudson Group, and namely IT, Finance, Data Management, Marketing and Supply Chain.

7.5 Candidate’s Data is never transferred outside of the European Economic Area (EEA) or to international organizations.

7.6 Hudson will release Candidate Data if obliged to do so to comply with any law, regulation or court order.

7.7 Hudson Group does not sell, trade or otherwise transfer Candidate Data to any third party other than the above.

8. DATA STORAGE AND RETENTION

8.1 Candidate Data in electronic format is stored

(i) by Talentlyft, a cloud based solution, with servers within the EU

(ii) Internal server, accessible through file storage folders and ShireBurn payroll system, both protected by access control system;

(iii) HR personnel computer system hard drives, password protected.

Candidate Data in tangible, hard copy form, is securely stored in locked cabinets to which only designated HR personnel has access. Personal Data is stored on servers within the EU or third countries having equivalent protection.

8.2 Personal data is not kept for a period longer than is necessary, having regard to the purposes for which they are processed.

8.3 Your Recruitment Record is retained throughout the Recruitment Process. If you are chosen for the job, your Recruitment Record will be included in your ‘Employee File’ and will be processed in accordance with Employee Privacy Statement which will be made available to you together with your Employment agreement. If you are not shortlisted or if you are shortlisted but not chosen for the job, your Recruitment Record will be retained on file for a period of six (6) months in case we need to contact you again to offer you the job or another job which reflects your qualifications and experience during this period. You can ask us to delete your Recruitment Record at any time during this period by sending an email to privacy@hudson.com.mt.

8.4 The Police Conduct Certificate is not retained. It is verified by the Hudson recruitment staff and where provided in physical copy returned to the Candidate once verified.

9. DATA SUBJECT RIGHTS

9.1 As an employee of Hudson, you have extensive rights when it comes to the processing of your personal data.

Your rights, listed below, may be enforced by contacting the Controller (or the Processor, if your request is related to one of the data processing activities conducted by the Processors) by email, by post or by phone using the contact details provided above.

You are guaranteed a response within 30 days from the date of receipt of your enquiry.

If your request is particularly complex or we need to process an extraordinary number of simultaneous requests, Controller’s reply may take longer but will be provided no later than 2 months from the date of receipt of the enquiry. This reply will also include details explaining the reason for the delay in our response.

We will provide the information in digital format or, if preferred, in hard copy format.

Such requests will not incur any fee, except when:

(i) The requests are manifestly unfounded or excessive, in particular because of their repetitive character. In this case a reasonable fee will be charged, taking into account the administrative costs of providing the information or communication or taking the action requested. In this case, we may also refuse to act on the request after having explained our position;

Should we have reasonable doubts concerning your identity when making the request above, we may require additional information, necessary to confirm your identity.

9.2 Access

You may obtain confirmation from us as to whether or not your Personal Data is being processed, including:

(i) the purposes of the processing;

(ii) the categories of Personal Data concerned;

(iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular if countries outside of the European Economic Area or international organisations;

(iv) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;

(v) the existence of the right to request from the Controller (or the Processor, if your request is related to one of the data processing activities conducted by the Processors) rectification or erasure of Personal Data or restriction of processing of Personal Data concerning the Data Subject or to object to such processing;

(vi) the right to lodge a complaint with the supervisory authority;

(vii) the right to data portability;

(viii) the existence of automated decision-making, including profiling.

9.3 Rectification

In case your date is inaccurate, incomplete or out-of-date, you have the right to rectify it.

9.4 Deletion (“the right to be forgotten”)

You have the right to have your Personal Data erased in case:

(i) Such data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;

(ii) The employment agreement is terminated or longer in force, and there is no other legal basis legitimating the processing activities;

(iii) You have objected to processing the data and there is no other legal basis legitimating its processing;

(iv) You believe that your Personal Data has been unlawfully processed;

(v) Your Personal Data has to be erased in order to ensure compliance with any legal obligations arising from any legislation enacted within the European Union or in Malta.

9.5 Restriction

You have the right to request a restriction on the processing of your Personal Data in case:

(i) You contest the accuracy of your Personal Data, for a period enabling us to verify the accuracy of such data;

(ii) The processing of your data is unlawful, and you oppose the erasure of your personal data and request the restriction of their use instead;

(iii) We no longer need the Personal Data for the purposes of the processing;

(iv) We no longer need your data, but we are required by you to retain the data for the establishment, exercise or defence of legal claims;

(v) You have objected to processing (as specified in detail below), pending the verification whether our legitimate grounds override yours.

When you restrict processing, your personal data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

In case you have obtained restriction of processing as per above, we will inform you before the restriction of processing is lifted.

9.6 Data Portability

You enjoy a right to data portability with respect to your Personal Data held by Hudson and Hudson hereby binds itself to provide you with the Personal Data concerning yourself which you have provided to the Employer, in a structured, commonly used and machine-readable format. In addition, you enjoy the right to transmit that data to another data controller without hindrance from Hudson.

9.7 Complaint

In addition to the above, and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC), competent Supervisory Authority for the Controller in Malta, if you deem it necessary to do so.

The complaint may be submitted online through this link (subject to change): https://idpc.org.mt/en/Pages/contact/complaints.aspx

10. DATA SECURITY

10.1 Hudson takes reasonable and appropriate administrative, technical and physical measures to protect the confidentiality, integrity and availability of Personal Data, whether in electronic or tangible, hard copy form. These measures include:

(i) Secure storage;

(ii) Regular back-ups;

(iii) Access control.

10.2 Hudson takes reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Hudson follows good practice policies and procedures for it Information Technology and Management, Backups and Data Recovery as well as Incident Response.

11. ENFORCEMENT

11.1 Upon establishment, this Policy will be communicated and made available to all employees of Hudson.

11.2 All employees in charge of processing Personal Data shall comply with the provisions set forth by this Policy.

11.3 Breach of any of the provision of this Policy by employees in charge of processing Personal Data may lead to disciplinary action including dismissal, as foreseen by the internal Disciplinary Policy established on 01/02/2014 and revised on 01/07/2017, by Chapter 452 of the Laws of Malta - Employment and Industrial Relations Act and other subsidiary legislation.