MHI Group Privacy Notice for Job Applicants

Last updated January 12, 2022

Introduction

We take your privacy and the protection of personal data very seriously. We therefore ask that you read this Privacy Notice carefully as it contains important information about what to expect when we collect personal data about you, how we will use your personal data and what legal grounds we are relying on to process it.

This is the Group Privacy Notice for Job Applicants (Privacy Notice) for the global recruitment site of the MHI group (MHI Group) and includes the particular MHI Group entity you are applying to (we, our, or us).

This recruitment site is operated by Mitsubishi Heavy Industries EMEA, Ltd. (MHI-EMEA), a member of the MHI Group based in the UK (whose full details and contact information can be found in the ‘Contacting Us’ section at the end of this Privacy Notice). You can click here to see a list of MHI Group entities along with their contact details.

Laws protecting your data

Each member of the MHI Group is subject to different data protection laws, depending on where in the world it is located. As a result, the way in which your personal data will be used and your legal rights will depend on which member of the MHI Group you apply to and where it is located and, in particular, whether or not that entity is in the United Kingdom (UK) or in the European Economic Area (EEA).

Data protection in the EEA is governed by the General Data Protection Regulation 2016/679 (GDPR) and related national laws, and in the UK by the Data Protection Act 2018 (DPA 2018) and UK GDPR (as defined in the DPA 2018) (collectively, European Data Protection Laws). References to ‘Articles’ in this Privacy Notice are to Articles of (as applicable) GDPR or UK GDPR.

This Privacy Notice covers the MHI Group’s processing of personal data generally with respect to job applicants but also contains information which is specific to candidates from the UK or EEA, or individuals applying to MHI Group entities in the UK (including MHI-EMEA) and the EEA (including MHI-EMEA’s branches in Germany and the Netherlands).

What personal data we process

The information we collect about applicants will include information about your personal and contact details, as well as any information you provide to us (such as in resumes/CVs, cover letters, application forms), interview and application notes, references, information about your current employment and the applications you have made and, where appropriate and to the extent permitted by the applicable law, information from background checks. The information we process may also include special category data (such as health, religious or ethnicity information) as permitted by local applicable laws.

Our lawful basis for processing your data

When you apply using this recruitment site, your personal data will be sent to the MHI Group entity which is advertising the role you apply for. That entity will be the data controller of the personal data you provide during your application and will therefore be responsible for determining how and why your personal data will be used.

We will collect, process and disclose your personal data where necessary to perform pre-contractual steps taken at your request (being to process your job application with a view to possibly entering into an employment contract with you) (Article (6)(1)(b)). If you do not provide all the information we need in connection with your application then we might not be able to consider you for a job.

We will also process your personal data to the extent necessary to pursue our legitimate interests in managing and administering our recruitment process (Article 6(1)(f)) or, in certain cases (for example, health-related information about reasonable adjustments you require), to comply with our legal obligations under applicable legislation (Article 6(1)(c)).

In the event that, as required or permitted by the applicable law you provide us with any special category data (such as health, religious or ethnicity information) then the additional condition we will rely on to process such data is that it is necessary for us to carry out our obligations in the fields of employment and the safeguarding of your fundamental rights (Article 9(2)(b) and relevant provisions of related national UK/EEA laws).

Scope of this Privacy Notice

This Privacy Notice applies to all personal data you provide in connection with your job application and any information obtained from third parties such as prior employers, referees and further information obtained about you from any other sources.

We will process such personal data only for the purposes of carrying out the recruitment process. Your application and any personal data included therein will only be processed by the entities within the MHI Group which are involved in the recruitment process and, even then, only to the extent strictly necessary for that purpose.

How does the application system work?

Candidates can apply for a position within the MHI Group anywhere in the world using SuccessFactors, which is the MHI Group’s global workforce management system. Candidates can apply for a specific vacancy, a student position, or a position through the open applicant pool. If a candidate is an existing MHI Group employee, they can import information already stored in the SuccessFactors Employee Central system into their application.

Application information is stored in the central SuccessFactors database servers, which are located in Germany. MHI Group recruiters around the world will be able to match candidates with open vacancies within their respective MHI Group entities.

If you have previously applied for a role with a MHI Group entity through another means (for example, by email), your decision not to register with this recruitment site will not affect any previous applications you have made. However, for convenience and in order to ensure the safe delivery of your application, we recommend that you use the SuccessFactors online recruitment site where possible. You may also choose to submit an application by post by using the address of the relevant entity provided click here.

How will we use your data?

Your personal data will be used by the relevant entities in the MHI Group to assess your application, check references, verify information and (in some cases), as permitted by the applicable law, conduct credit, security and other background checks. If any vetting or checks are necessary you will be informed of these beforehand and we will only carry out such checks or seek references at the final stage of the recruitment process once you are selected for an offer of employment or as may be required by applicable laws.

We will not use your personal data to make decisions about you based on automated processing (including profiling) which could have a legal or other similarly significant effect on you.

Who has access to your data?

MHI Group recruiters and relevant managers in the MHI Group entities that you apply to will have access to your personal data.

International transfers

European Data Protection Laws generally prohibit personal data from being exported outside the UK or the EEA to any third countries unless such countries have been determined by the UK or the EU as offering adequate protection for personal data, appropriate safeguards are in place to protect the personal data, or a derogation (meaning an exemption) to GDPR applies.

Typically, when your personal data is transferred outside the UK or EEA it will be subject to the following conditions (International Transfer Protections):

  1. Applications to MHI Group companies outside the UK or EEA: In these situations we will transfer your personal data to the non-UK/non-EEA MHI Group company on the basis that it is necessary to do so in order for us to assess your application at your request with a view to them potentially entering into a contract with you. As this is an essential pre-contractual measure, the transfer will be based on a derogation from the GDPR (Article 49(1)(b)).
    The non-UK/non-EEA MHI Group company which receives your data will keep your information safe and adhere to the same high standards as the rest of the MHI Group when processing your personal data. However, you should be aware that not all countries outside the UK or EEA provide equivalent legal protection to personal data as that afforded by the GDPR and other European Data Protection Laws.
  2. Transfers to a country which has been recognised as providing adequate protection for personal data: Certain countries, including Japan, have been recognised by (as applicable) the UK or the EU as ensuring adequate protection for personal data under GDPR (Article 45). As SuccessFactors is a global database, personal data may be stored or processed by MHI Group companies and their service providers in Japan or other countries which ensure adequate protection for personal data.
  3. Appropriate safeguards are in place to protect your personal data: The continued operation of the SuccessFactors platform relies on services from MHI Group companies and their service providers around the world. Where these companies are located in third countries which are not recognised as providing adequate protection under GDPR, we ensure that appropriate safeguards (such as approved Standard Contractual Clauses for protecting personal data) (Article 46) are in place to protect your personal data.

In order to ensure the proper functioning of the SuccessFactors recruitment platform your personal data may need to be shared with other MHI Group entities and trusted third-party providers on a strictly as-needed basis for service delivery and maintenance purposes. As explained above, if such a provider is based outside (as applicable) the UK or the EEA then we shall ensure that your personal data is only transferred to them if there are International Transfer Protections in place.

We require all of the entities within the MHI Group, and any trusted third-party providers, that receive or have access to your personal data to treat it as confidential and only process it in accordance with the strict requirements of applicable UK, EEA and other data protection laws, regulations and other applicable legal safeguards (including the International Transfer Protections).

Your personal data will not be sold to third parties. If you wish to obtain further details of the safeguards we have in place for transfers concerning your personal data, please contact us using the details set out at the end of this Privacy Notice.

Your rights

Your legal rights as a data subject in relation to your personal data will depend on whether or not the MHI Group entity you are applying to is located in the UK/EEA or in another country.

If you apply to an MHI Group entity located in the UK/EEA to which the European Data Protection Laws apply then you will have the following rights in respect of your personal data:

  1. obtain a copy of your personal data in a commonly used format (Article 15);
  2. have your data corrected or updated (Article 16), (which you can do yourself as described below);
  3. have your data erased (Article 17) in certain circumstances;
  4. restrict how your data is used (Article 18) in certain circumstances;
  5. request your data be transferred to you or to a third party (Article 20) in certain circumstances; and
  6. object to your personal data being used (Article 21) in certain circumstances.

If you would like to exercise any of your rights, you can do so by contacting us using the details set out at the end of this Privacy Notice.

If the MHI Group entity you apply to is outside the UK or the EEA, then your legal rights will depend on the laws which apply in the relevant country. In this situation you should contact the local MHI Group entity’s HR Manager or recruitment contact, who will be able to assist you with exercising your data protection rights in that jurisdiction. If you do not have the relevant contact details for such individuals, then please contact us using the details set out at the end of this Privacy Notice.

We want to ensure that your personal data is accurate and up to date. If any of the information that you have provided to us changes, you will be able to amend, update and correct the information you have provided to us through the open applicant pool or by contacting us directly using the details set out at the end of this Privacy Notice.

How long will we keep your data?

We will keep your personal data for a maximum period of six months from the date that you last logged into the recruitment site. We may retain your data for a longer period of time where necessary to comply with our legal obligations or where we have other compelling legitimate interests or legal grounds for doing so (for example, to respond to ongoing requests or claims made by candidates). If you want us to erase your personal data before this time, you may delete your profile by logging into your account and selecting the ‘delete profile’ option. Please note, erasing your profile will only delete personal data stored in the SuccessFactors application system and will not, for example, erase emails or other correspondence between you and us.

Where you have a legal right to have your personal data erased and wish to exercise it, then please contact us.

Cookies

Cookies may be used to ease site navigation for visitors and to facilitate efficient registration procedures. Cookies are text files placed on your hard drive by a web page server. A web browser is part of your computer. These are usually set to accept cookies automatically but can normally be changed to decline them. If you are concerned about cookies, we suggest you modify your web browser setting. Please note, though, that you might not be able to use all site features without the use of cookies.

How will we secure your data?

We recognise our responsibility to protect the information and personal data you provide to us. We have implemented appropriate technical and organisational measures to ensure your information is kept safe, and use a variety of secure techniques to protect your information, including secure servers, firewalls, and encryption of application data and of your communications with our third party provider via the Internet. For more details on these measures, please contact us.

Modifications

We reserve the right to modify or amend this Privacy Notice at any time. The effective date of this Privacy Notice is displayed at the beginning of this notice. We may update you by email of any significant changes we make to this Privacy Notice but please check back periodically, and especially before you provide any personal data.

Contacting us

We welcome your views about our recruitment site and our Privacy Notice. If you have any queries or comments, please contact the HR Manager or other point of contact for the particular MHI Group entity you are applying for (whose details will usually be provided in the acknowledgement of your application). You can also click here to find contact details for the various entities in the MHI Group .

If you have a specific data protection query relating to recruitment by the MHI Group’s entities in the UK, or if you have not yet submitted an application and have a general data protection query you can e-mail us at [email protected], attention: Head of Legal.

European Data Protection Laws provide individuals with the right to lodge a complaint with the relevant data protection supervisory authority in the event of a breach of the law (Article 77). In the UK, the relevant authority is the Information Commissioner’s Office whose details can be found by visiting www.ico.org.uk. However, if you do have a concern or a complaint please contact us in the first instance at [email protected], attention: Head of Legal, and we will try our best to resolve it.

Each EEA country will have its own national data protection supervisory authority. This will generally be the supervisory authority in the country in which you usually live, work or where you consider that an alleged infringement of the GDPR has occurred. A list of supervisory authorities can be found on the website of the European Commission (click here).

Mitsubishi Heavy Industries EMEA, Ltd. is a limited liability company incorporated in England and Wales under company number 02282265, having its head office at Building 11, Chiswick Park, 566 Chiswick High Road, London W4 5YA United Kingdom. MHIE is registered as a data controller with the UK Information Commissioner’s Office under number ZA116343

Country-specific recruitment privacy notice addendum for United Kingdom

Notwithstanding the previous provision, the following provisions shall prevail for applicants if personal data is processed in the United Kingdom and/or the personal data is processed in context of an activity of an establishment of a controller or processor in the United Kingdom (in the following referred to as “UK Applications”).

What personal data we process, how will we use your data and our lawful basis:

To specify the information of the Group Privacy Notice for Job Applicants, we process the following categories of personal data for the following purposes on the following lawful bases:

Purpose of the processing Category of personal data processed for such purpose Lawful basis of the processing for UK Applications
Recruiting and processing your application for the position you applied for Any personal data you provided to us with your application and in the interviews (such as personal data included in resumes, CVs, cover letters, application forms, notes). Pre-contractual steps before an employment contract, Article 6(1)(b) UK GDPR;
legitimate interest in managing and administering the recruitment, Article 6(1)(f) UK GDPR; and
compliance with applicable (employment) laws, Article 6(1)(c) UK GDPR, Article 9(2)(b) UK GDPR, and Paragraph 1(1)(a), Schedule 1, Data Protection Act 2018.
Background checks See section about background checks below. Consent, Article 6(1)(a) UK GDPR and Paragraph 29, Schedule 1, Data Protection Act 2018.
[Informing you about future vacancies] [Any information you provided to us with your application and in the interviews (see above).] Legitimate interest in managing and administering recruitment, Article 6(1)(f) UK GDPR.
Defence against legal claims Any information you provided to us with your application and in the interviews (see above) or that we obtained in lawful background checks. Legitimate interest in defending legal proceedings, Article 6(1)(f) UK GDPR; and
defence of legal claims, Article 9(2)(f) UK GDPR.

How long will we keep your data?

Personal data relating to applications is stored for a period of 6 months from when the account was last accessed by the candidate, for the purpose of legal proceedings. Application data may be kept a period of up to 2 years in order to inform candidates about other opportunities that may be appropriate for them, or for further periods when the candidate has asked that we do so.

Background checks and data relating to criminal convictions and offences

For UK Applications we generally do not conduct criminal records checks, unless it is relevant and appropriate for the specific role and legally permissible. In such cases, we use your personal data to carry out our legal obligations.

Special categories of data in context of UK Applications

We only collect special categories of data if strictly required to comply with applicable laws.

Country-specific recruitment privacy notice addendum for Germany and Italy

Notwithstanding the previous provision, the following provisions shall prevail for applicants if personal data is processed in Germany or Italy and/or the personal data is processed in context of an activity of an establishment of a controller or processor in Germany or Italy (in the following referred to as “German Applications” respectively “Italian Applications”).

What personal data we process, how will we use your data and our lawful basis: To specify the information of the Group Privacy Notice for Job Applicants, we process the following categories of personal data for the following purposes on the following lawful bases (whereas “BDSG” means the German Federal Data Protection Act (Bundesdatenschutzgesetz)):

Purpose of the processing Category of personal data processed for such purpose Lawful basis of the processing for German Applications Lawful basis of the processing for Italian Applications
Recruiting and processing your application for the position you applied for Any personal data you provided to us with your application and in the interviews (such as personal data included in resumes, CVs, cover letters, application forms, notes). Pre-contractual steps necessary to decide about an employment contract Sec. 26 para 1 sentence 1 BDSG and compliance with applicable (employment) laws Sec. 26 para 1 sentence 1 and para 3 sentence 1 BDSG. Pre-contractual steps before an employment contract Article 6 (1) (b) GDPR; legitimate interest in managing and administering the recruitment Article 6 (1) (f) GDPR;
compliance with applicable (employment) laws (Article 6 (1) (c) and Article 9 (2) (b) GDPR).
Background checks See section about background checks below. Legal obligation necessary for employment-related purposes, Sec. 26 para. 1 sentence 1 BDSG. Legal obligation, Article 6 (1) (b) GDPR
Informing you about future vacancies Any information you provided to us with your application and in the interviews (see above). Consent Sec. 26 para 1 sentence 1 and para 3 sentence 2 BDSG. Consent Article 6 (1) a) or legitimate interest Article 6 (1) (f) GDPR.
Defence against legal claims Any information you provided to us with your application and in the interviews (see above) or that we obtained in lawful background checks. Carrying out the employment relationship Sec. 26 para 1 sentence 1 BDSG and defence of legal claims Article 9 (2) (f) GDPR. Legitimate interest Article 6 (1) (f) GDPR and defence of legal claims (Article 9 (2) (f) GDPR.

How long will we keep your data?

Generally we do not store personal data of German Applications and Italian Applications for longer than 6 months, unless you consented to longer storage or longer storage is otherwise required by applicable laws or to establish or defend legal claims.

Background checks and data relating to criminal convictions and offences in

context of German Applications and Italian Applications

For German Applications and Italian Applications we generally do not conduct background checks and do not collect data related to criminal convictions and convictions, unless for the specific role collecting such information is relevant, appropriate given the nature of the role and legally permissible. In such cases, we use your personal data to carry out our obligations in respect of safeguarding.

Special categories of data in context of German Applications and Italian Applications

For German Applications and Italian Applications we only collect special categories of data if strictly required to comply with applicable law or to execute the employment law or following possible recruitment for other services and benefits offered to the employee. No data about ethnicity is collected for German Applications and Italian Applications.

Contacting our data protection officer:

In addition to the means of contact in our Group Privacy Notice for Job Applicants you may also contact our data protection officer.

Country-specific recruitment privacy notice addendum for Canada

If you are a Canadian resident applying for a position at a MHI Group entity located in Canada, then this section applies and provides you with further information about the way in which this entity handles and protects your personal data as well as any rights you may have with respect to your personal data.

How do we use your personal data?

In addition to the purposes listed in the Privacy Notice, the MHI Group entity may use relevant portions of your application information to establish and maintain your employment file, but only in the event a decision is made to hire you.

How do we manage consent?

By submitting information to us via the recruitment site or otherwise during the application process, we rely on your consent to collect, use and share your personal data as set out in this Privacy Notice, unless otherwise permitted under applicable laws. In some cases, your consent may be “implied”, meaning that your agreement is assumed based on your action or inaction at the point of collection, use or sharing of your personal data.

Where we rely on your consent to process your personal data, you may also have a right to withdraw your consent at any time, except in limited circumstances, including legal or regulatory requirements or as a result of our contractual obligations with you. If you choose not to provide us with certain personal data or if you withdraw your consent, where such withdrawal is available, we may not be able to process your job application or provide you with the information that you requested.

Where will your personal data be kept?

As we rely on the services of MHI Group entities and third-party service providers around the world to operate the MHI Group’s global workforce management system (i.e. SuccessFactors), your personal data may be transferred to other countries, including Japan, United Kingdom and America.

Although we employ contractual and other means to provide your personal data a comparable level of protection while it is being processed outside Canada, it may be subject to the laws of those other countries, including laws permitting or requiring information to be disclosed to foreign authorities, such as regulatory bodies and law enforcement in those other countries.

With whom do we share your personal data?

Personal data may also be shared in connection with the transfer of all or part of our operations, assets or activities to a third party, a merger with another entity, or another form of corporate transaction. In this case, we will comply with the legal requirements for the disclosure of personal data and ensure that the handling of your personal data complies with applicable laws.

Accessing and correcting your personal data

As a Canadian resident, you may have the right to access and rectify the personal data we hold about you in accordance with the laws applicable in the province in which you reside. If you believe that your personal data is inaccurate, incomplete or no longer up to date, or wish to access such personal data, you may send us a written request us at [email protected], attention: Head of Legal. We will respond to your request within a reasonable delay, in compliance with applicable laws.

Country-specific recruitment privacy notice addendum for Singapore

The following terms in this addendum to the Group Privacy Notice for Job Applicants dated January 12, 2022 (“Privacy Notice”) (“Addendum”) apply in respect of our collection, use and disclosure of your personal data , if you are a job applicant applying to a member of the MHI Group in Singapore (collectively, “we”, “our”, “us”, as the case may be).

Unless the context otherwise requires, capitalised terms in this Addendum have the same meaning as in the Privacy Notice.

We may revise this Privacy Notice from time to time without any prior notice. You may determine if any such revision has taken place by referring to the date on which this Privacy Notice was last updated. Your continued participation in our job application process constitute your acknowledgement and acceptance of such changes.

1.Background

1.1 Subject to the data protection provisions of the Personal Data Protection Act of Singapore (No. 26 of 2012) (“PDPA”), our collection, use and disclosure of your personal data will be governed by the Privacy Notice read with this Addendum.

1.2 Without prejudice to any of the general terms in the Privacy Notice, if there is any inconsistency between the terms of this Addendum and the Privacy Notice, the terms of this Addendum shall apply to the extent of such inconsistency, provided always that where the terms of the Privacy Notice afford you a higher standard of personal data protection under any applicable laws, such term of the Privacy Notice shall apply instead.

2. Consent to Collection, Use and Disclosure of Personal Data

2.1 By proceeding with your job application with us, you expressly consent to the collection, use and disclosure of your personal data by us for the purposes of the PDPA. we reserves all our rights, including amongst others, not to proceed with your job application if you withdraw your consent to the collection, use and disclosure of your personal data. You may withdraw consent and request us to stop collecting, using and/or disclosing your personal data for the purposes set out in the Privacy Notice by submitting your request in writing or via email to our data protection officer in paragraph 9 below.

2.2 Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.

3. Purposes of Collection, Use and Disclosure of Personal Data

3.1 We may collect, use and disclose your personal data for the purposes of the scope as set out in the Privacy Notice, and any purposes strictly necessary in connection thereto (including purposes and legitimate interests as provided for and in accordance with the PDPA).

4. Accuracy of Personal Data

4.1 We make reasonable efforts to ensure the personal data we collect from you is accurate and complete, in particular if it will be used to make a decision in relation to your job application with us.

4.2 You should ensure that all personal data you provide to us is accurate and complete. You may amend, update or correct your personal data in the manner set out in the Privacy Notice.

5. Access and Correction of Personal Data

5.1 You may access and/or correct your personal data in the manner stated in the Privacy Notice.

5.3 We will respond to your request as soon as reasonably possible. In general, our response will be within 10 business days. Should we not be able to respond to your access request within 10 business days after receiving your access request, we will inform you in writing within thirty 10 business days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA).

5.4 Please note that depending on the request that is being made, we will only need to provide you with access to the personal data contained in the documents requested, and not to the entire documents themselves. In those cases, it may be appropriate for us to simply provide you with confirmation of the personal data that our organisation has on record, if the record of your personal data forms a negligible part of the document.

6. Protection of Personal Data

6.1 Your personal data provided to us will be secured in the manner as set out in the Privacy Notice.

6.2 You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures

7. Retention

7.1 We are permitted under the PDPA to retain your personal data for as long as:

(a) the retention of the personal data continues to serve any purpose for which it was collected; and

(b) we have a business or legal need for such retention. 7.2 In the event that retention of personal data is no longer necessary for any business or legal purposes or when the purpose for which the personal data was collected is no longer being served by the retention of the personal data, we will remove, destroy or anonymise the personal data.

8. Transfer of your Personal Data outside of Singapore

8.1 We will ensure that any organisation outside of Singapore (including any member of the MHI Group) which we transfer your personal data to for the purposes of processing your job application shall provide a standard of protection that is at least comparable to the data protection provisions of the PDPA.

9. Notification of Data Breach

9.1 We will notify the Personal Data Protection Commission of Singapore, being the regulatory authority administering the PDPA, in the event we incur a notifiable data breach as set out in the PDPA. We will also notify you of the occurrence of such data breach if you are affected by the same, in accordance with the PDPA.

10. Porting of your Personal Data

10.1 You may request for us to transmit your personal data that you have provided us to another organisation in a commonly used machine readable format in accordance with the PDPA.]

11. Data Protection Officer

11. 1 You may contact our data protection officer in respect of any request, queries or clarifications in connection with this Addendum at the contact details as set out in the Privacy Notice.