Rho Applicant Privacy Notice
Effective: 3 June 2022
Last Updated: 9 June 2022
Contents
- Introduction
- Scope
2.1. Rho’s Role as Data Controller
2.2. Entities Covered by This Notice
- Categories of Personal Data Collected
- Sources of Personal Data Collected
- Lawful Basis for Processing
- Sharing of Personal Data Collected
6.1. Overview of Data Sharing Practices
6.2. Sales of Personal Data
6.3. Types of Third Parties That Process Your Data
6.4. Transfers of Personal Data Outside the European Economic Area
- Your Privacy Rights
7.1. Your Right to Know What Personal Data We Have About You
7.2. Your Right to Know What Happens to Your Personal Data
7.3. Your Right to Change Your Personal Data
7.4. Your Right to Change How We Process Your Personal Data
7.5. Your Right to Ask Us to Stop Using Your Personal Data
7.6 Your Right to Port or Move Your Personal Data
7.7 Your Right to Have Your Personal Data Deleted
7.8. Your Right Not to Be Discriminated Against
7.9. Your Right to Lodge a Complaint with a Supervisory Authority
7.10. Exercising Your Privacy Rights
7.10.1. Verification of Authority
7.11. Verification of Your Identity to Respond to Your Privacy-Related Request
7.12. Format and Timing of Our Response to Your Privacy-Related Request
- How We Protect Your Personal Data
- Contact Us
- Changes To This Privacy Notice
1. Introduction
Rho takes the protection of our job applicants’ personal information (“Personal Data”) very seriously.
We ask that all applicants read this Privacy Notice (the “Notice”) to learn what Personal Data we collect about you in relation to processing your application and evaluating your suitability for employment with Rho, why and how we collect and use your Personal Data, and with whom we might share it.
This Notice also informs you of your rights under the EU’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”).
Rho has adopted this Notice to comply with the GDPR and the CCPA. Any terms defined in the GDPR and the CCPA have the same meaning as when used in this Notice.
If you have any questions about this Notice, please send an email to Data_privacy@rhoworld.com.
2. Scope
This Notice applies to job applicants who are California residents and applicants for positions with our entities in the European Economic Area (the EU countries, Norway, Iceland and Liechtenstein) who are working within Rho. We refer to all such people as “applicants” in this Notice.
This Notice is issued on behalf of Rho and our Affiliates (as defined in the section Entities Covered by This Notice). When reading this Notice, "Rho" refers to the relevant company in the Rho group responsible for processing your Personal Data.
This Notice covers:
- The categories of Personal Data we collect
- Why we collect your Personal Data
- How we obtain your Personal Data
- With whom we share your Personal Data
- Your rights as they relate to your Personal Data, and how you can exercise those rights
- How we protect your Personal Data
- How to contact us
2.1. Rho’s Role as Data Controller
Within the scope of this notice, Rho acts as a data controller or “business” for the Personal Data we collect or that others collect on our behalf. This means that we are responsible for determining the purposes and means of the processing of your Personal Data – in other words, how and why we collect, use, and share it.
2.2. Entities Covered by This Notice
This Notice covers Rho, Inc., and its affiliate entities (the “Affiliates”), including:
- SIA Dokumeds and its affiliates
- Rho Europe, B.V.
- RhoWorld UK, Ltd.
3. Categories of Personal Data Collected
Rho receives Personal Data primarily through:
- Information you provide to us directly. This could include documents that are required for employment, such as a job application, background check authorization form, I-9 form, direct deposit information, tax forms and other legal requirements.
- Third parties. This could include data that is provided to Rho from third parties such as a recruiting or hiring agency, former employer or reference, authorities, or some other information provider.
The following table lists the categories of Personal Data we may collect about you in the application process:
Table 2: Categories of Personal Data Collected
Category | Personal Data We Collect |
Identifiers | Biographical information, including but not limited to first name, middle name, last name, former last name, preferred first name, date of birth, driver’s license number, passport number, or other identity documents. Contact information, including but not limited to email, address (address line 1, 2, city, state/province abbreviation, ZIP/Postal code, county, country code), personal and corporate phone number. Application information, including but not limited to the information included in an application form, CV, and references. Gender |
Special categories of personal information listed in the California Customer Records statute* | Biographical information, including but not limited to first name, middle name, last name, former last name. Contract information, including but not limited to address (address line 1, 2, city, state/province abbreviation, ZIP/Postal code, county, country code), personal and corporate phone number. State-issued identifiers, including but not limited to, driver's license or state identification card number. Other, including but not limited to education and employment history. |
Protected classification characteristics under California or federal law | Information needed for equal opportunities monitoring policy, including but not limited to age, race, marital status, medical conditions, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy, and other medical conditions), veteran or military status or sexual orientation). |
Security surveillance information | Images from video surveillance cameras, information on access to Rho’s premises, the premises of its group companies, and resources acquired by carrying out video surveillance in the office or premises of the Rho group companies. |
Education information | Information included in your application, including but not limited to transcripts, diplomas, dates of attendance, concentrations, and degrees earned. |
Background checks and screening information | To the extent permitted by law, information relating to criminal convictions, driver’s license checks, and verification of education. |
Other types of Personal Data | Health-related information, if required as a pre-condition for specific positions. Other: skills assessment results, publicly available information on applicant, and any other Personal data that is necessary for Rho to comply with legal requirements or necessary for Rho to protect its legitimate interests. |
4. Sources of Personal Data Collected
As part of our human resources processes, we need to collect and process Personal Data relating to our prospective employees. We may obtain your Personal Data from the sources indicated in the table below:
Table 3: Sources of Applicant Personal Data
Category | Sources of the Personal Data |
Identifiers | ● You provide this data during the process of your job application. Examples could include when we collect Personal Data from application forms, CVs or resumes, your passport or other identity documents, or through interviews or other forms of assessment, including online tests. ● The agency you are working for provided this data when they submitted your file to us. ● Third parties, such as former employers, authorities, government entities, social networks, data brokers, or other information providers, provide this data. ● Subject to applicable laws, we obtain this data through background checks and other similar information sources as required by law or deemed necessary due to the nature and security requirements related to the position in question. |
Special categories of personal information listed in the California Customer Records statute* | ● You provide this data during the process of your job application. ● The agency you are working for provided this data when they submitted your file to us. ● Third parties, such as former employers, authorities, government entities, social networks, data brokers, or other information providers, provide this data. ● Subject to applicable laws, we obtain this data through background checks and other similar information sources as required by law or deemed necessary due to the nature and security requirements related to the position in question. *Some categories of personal information included in this category may overlap with other categories. |
Protected classification characteristics under California or federal law | ● You provide this data during the process of your job application. |
Professional or employment-related information | ● You provide this data during the process of your job application. ● The agency you are working for provided this data when they submitted your file to us. ● Third parties, such as former employers, authorities, government entities, social networks, data brokers, or other information providers, provide this data. |
Background checks and screening information | ● This information is provided from background screening providers |
Non-public education information | ● You provide this data during the process of your job application. ● The agency you are working for provided this data when they submitted your file to us. ● Third parties, such as former employers, authorities, government entities, social networks, data brokers, or other information providers, provide this data. |
5. Lawful Basis for Processing
The GDPR and other applicable data protection laws require that we have a valid reason to use your Personal Data. This is called the "lawful basis for processing.” We may process your Personal Data:
- Because we need to process your Personal Data in order to perform a contract with you.
- Because we have a legitimate interest in processing your Personal Data and it is not overridden by your rights. In this case, our legitimate interest is evaluating your suitability for employment with Rho.
- Because we need to process your Personal Data in order to comply with the law.
- On another ground, as required or permitted by law.
When we rely on legitimate interests as a lawful basis of processing, you have the right to ask us more about how we decided to choose this legal basis, and you have the right to object to processing on this basis. To do so, please use the contact details provided in Section 7.10 of this Notice.
Where we receive your Personal Data from you or your entity in the context of a contractual relationship, we will process that Personal Data only to the extent that we must do so in order to carry out the contract. It will be “necessary” for us to process your Personal Data for the purposes of executing a contract if we would not be able to fulfill our contractual obligations without engaging in such processing.
In similar fashion, we may need to process certain Personal Data in order to meet our legal obligations.
- How Rho Uses Your Personal Data
Rho does not sell your Personal Data.
Rho may collect, use, or disclose your Personal Data for one or more of the following purposes:
Table 4: Purposes for Collecting Applicant Personal Data
Category | Purposes for which we collect and use your Personal Data |
Identifiers | ● Recruiting purposes, such as conducting the recruiting process, arranging interviews or testing, and making hiring decisions ● Conducting background checks ● Dealing with legal disputes involving you ● Drafting and sending internal employee emails and other correspondence ● Preventing fraud or other criminal activity ● Onboarding you ● Assuring network and other information security, including access management to prevent unauthorized access to Rho’s computers and electronic communications systems and preventing malicious software distribution ● Human Resources record-keeping ● Engaging in necessary precontractual activities or negotiations |
Special categories of personal information | ● Health data may be used to determine if an applicant meets certain pre-condition for a specific position, if applicable |
Protected classification characteristics under California or federal law | ● Monitoring of equal opportunity practices and standards |
Internet or similar network activity | ● Assuring network and other information security, including access management to prevent unauthorized access to Rho’s computers and electronic communications systems and preventing malicious software distribution |
Professional or employment-related information | ● Recruiting purposes, such as conducting the recruiting process, arranging interviews or testing, and making hiring decisions ● Conducting background checks ● Human Resources record-keeping |
Non-public education information | ● Recruiting purposes, such as conducting the recruiting process, arranging interviews or testing, and making hiring decisions ● Conducting background checks ● Human Resources record-keeping |
Security surveillance information | · Ensuring physical safety and security in certain Rho facilities and premises |
Background check information | · Determining suitability for certain positions, to the extent permitted by law |
Inferences drawn from other personal information | ● Recruiting purposes, such as conducting the recruiting process, arranging interviews or testing, and making hiring decisions ● Talent management |
- Automated Decision-Making
Applicants will not be subject to decisions that will have a significant impact on them based solely on automated decision-making. Sharing of Personal Data Collected
- Overview of Data Sharing Practices
Rho may share your Personal Data with third parties, such as suppliers, service providers, and other business partners that process Personal Data on our behalf. Examples of the types of third parties with whom we may share your personal data include recruitment and application tracking services, human resource information system software and services, and background screening solutions.
Rho may also disclose Personal Data when required by law or in good-faith belief that a disclosure is necessary to comply with official investigations or legal proceedings (whether initiated by government or law enforcement officials or private parties). If required to disclose applicant Personal Data to government or law enforcement officials, Rho may not be able to ensure that those officials will maintain the privacy and security of applicant Personal Data.
Rho reserves the right to use, transfer, sell, and share aggregated, anonymous data for any legal business purpose. As this Personal Data is anonymized, such data is not considered Personal Data under applicable privacy laws.
We do not sell your Personal Data to third parties.
- Types of Third Parties That Process Your Personal Data
The following table describes the categories of information we have disclosed to third parties for business purposes, and the categories of those third parties.
Table 5: Third Parties Receiving Personal Data
| Personal Data Disclosed for Business Purposes? |
Category | Yes or No | Categories of Third Parties Receiving Personal Data |
Identifiers | YES | ● Payroll services ● Performance management services ● Human resources information system software and services ● Data storage and IT service providers ● Background screening solutions |
Special categories of personal information | NO | |
Protected classification characteristics under California or federal law | YES | ● As a federal government contractor in the United States, this data may be shared with affirmative action plan consultants. It may also be shared on an aggregated basis with government agencies and/or 3rd parties, on behalf of government agencies. |
Internet or similar network activity | YES | ● Human resources information system software and services ● Vendors providing IT security services |
Background check information | YES | ● Background screening solutions |
Professional or employment-related information | YES | ● Background screening solutions ● Human resources information system software and services |
Non-public education information | YES | ● Background screening solutions ● Human resources information system software and services |
- Transfers of Personal Data Outside the European Economic Area
Some of the entities we send Personal Data to are located outside of the European Economic Area and the United Kingdom (“UK”). In some cases, the European Commission or the UK Secretary of State may have determined that the data protection laws of some countries provide a level of protection equivalent to EU or UK law.
When the GDPR applies to the processing of Personal Data, Rho will only transfer the data out of the European Economic Area or the United Kingdom to countries that have not been recognized as providing an adequate level of protection to personal data by using appropriate transfer mechanisms such as the European Commission approved standard contractual data protection clauses under Article 46.2 of the GDPR. We typically transfer Personal Data to the United States.
We retain your Personal Data for a period of three years, unless a longer retention period is required or permitted by law, including for the purposes of satisfying any legal or reporting requirements, or any other lawful legitimate purposes.
6. Your Privacy Rights
You have specific rights regarding your Personal Data. This section describes your rights, and how you can exercise those rights.
6.1. Your Right to Know What Personal Data We Have About You
You have the “right of access”, meaning you can request that we disclose certain information to you about our collection and use of your Personal Data over the past twelve (12) months.
Once we confirm it was you or your authorized agent who made the request, we will disclose to you:
- The categories of Personal Data we have collected about you
- The categories of sources for the Personal Data we collect about you
- Our business or commercial purpose for collecting your Personal Data
- The categories of service providers or third parties with whom we share that Personal Data
- The specific pieces of Personal Data we have about you (this is also called a data portability request)
- If we disclosed your Personal Data for a business purpose, we will list the disclosures and identify the categories of the Personal Data disclosed to each category of recipient
6.2. Your Right to Know What Happens to Your Personal Data
You have the “right to be informed,” which means you have the right to know how Rho collects, uses, and shares your Personal Data. This Notice provides you with this information.
6.3. Your Right to Change Your Personal Data
You have the “right to rectification.” If you think that your Personal Data maintained by Rho is incorrect or incomplete, you have the right to request that it be corrected or completed.
6.4. Your Right to Change How We Process Your Personal Data
In certain circumstances, you have the “right to restrict processing,” which means you have the right to request that Rho only use or store your Personal Data for certain purposes.
6.5. Your Right to Ask Us to Stop Using Your Personal Data
You have the “right to object”, which means that in some cases you can request that Rho stop using your Personal Data.
6.6. Your Right to Port or Move Your Personal Data
You have the “right to data portability”, which means you can ask for and receive a portable copy of your Personal Data processed by Rho so that you can move it, copy it, keep it for yourself, or transfer it to another organization.
6.7. Your Right to Have Your Personal Data Deleted
You have the right to request that we delete any of your Personal Data. Once we receive and confirm that it was you or your authorized agent who made the request, we will delete (and direct our service providers to delete) your Personal Data from our records, unless an exception applies. If such a request is denied, Rho will consider how the use of your Personal Data can be limited instead of deleted.
We may deny a request to delete your Personal Data if we or our service providers need to retain the information to do any of the following:
- Complete the transaction for which we collected the Personal Data, take actions reasonably anticipated within the context of our ongoing business or employment relationship with you, or otherwise perform our contract with you
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities
- Debug products to identify and repair errors that impair existing intended functionality
- Exercise the rights of freedom of expression and speech, ensure the right of another California or EU resident to exercise their freedom of speech or expression rights, or exercise another right provided for by law
- For the establishment, exercise, or defense of legal claims
- Enable solely internal uses reasonably aligned with your expectations based on your relationship with us
- Comply with a legal obligation, including (but not limited to) obligations from the California Electronic Communications Privacy Act, or the EU or EU member states’ laws
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it
6.8. Your Right Not to Be Discriminated Against
Rho will not discriminate against you if you seek to exercise your privacy rights.
6.9. Your Right to Lodge a Complaint with a Supervisory Authority
If the GDPR applies to our processing of your Personal Data, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data.
Specifically, you can lodge a complaint in the Member State of your habitual residence, place of work, or in which the alleged violation of the GDPR occurred.
6.10. Exercising Your Privacy Rights
To exercise any of the rights described in this section, please submit a request by any of the following methods:
- Emailing us at Data_privacy@rhoworld.com.
When submitting a request, please provide:
- Your full name
- How you would like to be contacted (email, telephone, by mail)
- The type of request: Request to delete / Request to know / Request to opt out / Request to opt in / etc.
- The scope of your request
6.10.1. Verification of Authority
If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you a valid power of attorney on to act on their behalf.
Alternatively, you may ask the individual to directly contact us by using the contact details above to verify their identity with Rho and confirm with us that they gave you permission to submit this request.
We will only use the Personal Data you provide us to verify your authority.
6.11. Verification of Your Identity to Respond to Your Privacy-Related Request
To evaluate your privacy rights requests, we need to confirm that YOU made the request. Consequently, we may require additional information to confirm that you are who you say you are.
6.12. Format and Timing of Our Response to Your Privacy-Related Request
We will use best efforts to confirm the receipt of your request within 10 days and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, except when we have already granted or denied the request.
Please allow us up to one calendar month to reply to your requests to know and requests to delete starting from the day we received your request. If we need more time (up to three calendar months), we will tell you why and provide the extension period in writing.
Consider that we will only cover the three year period preceding the moment we receive your request in any disclosures we provide you with.
If we cannot satisfy with a request, we will also explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.
We commit to not charging a fee for processing or responding to your requests. The only situations where we may charge a fee is when we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.
7. How We Protect Your Personal Data
We are committed to keeping your Personal Data safe. We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing. Unauthorized processing includes unauthorized access, exfiltration, theft, disclosure, alteration, or destruction.
8. Contact Us
If you have any questions or comments about this Notice, how we collect and use your Personal Data, your choices and rights regarding such use, or if you wish to exercise your privacy rights, please contact us by email at data_privacy@rhoworld.com.
9. Changes to This Notice
If we make any material change to this Notice, we will post the revised Notice to this page and update the “Effective” date. Please check back here to see any updates.