CarGurus
EEA Candidate Privacy Notice
We are committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you during the recruitment process, in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
- Who we are
CarGurus Ireland Limited, CarGurus UK Limited, and any affiliate of CarGurus, Inc. that is organized in a member state of the European Economic Area (EEA) (“CarGurus”, "we", or "us") are controllers of your personal data. We would like to provide you with details of the extent to which we process your personal information. This privacy notice applies to employment candidates of CarGurus. It is important that you read and retain this privacy notice so that you are aware of how and why we are using your personal data.
- How is your personal data collected?
We collect personal information about candidates through the application and recruitment process, either directly from candidates or sometimes from an employment agency. We may sometimes collect additional information from third parties including former employers, credit reference agencies or other background check agencies, and through publicly accessible sources, such as LinkedIn.
- The purpose and legal basis for processing your personal data
Personal data, or personal information, means any information about an individual from which that person can be identified. We have detailed in the table below, your personal data that we may from time to time collect, the purpose or purposes for which we process this personal data, as well as the legal basis for such processing:
Personal Data
|
Purpose for Processing
|
Legal Basis for Processing
|
Basic information about you such as name, gender, email, home address, telephone number, and where applicable, government identification number and passport information.
|
For administration purposes, including business management and planning.
|
In order to pursue our legitimate interests of conducting personnel administration.
|
Your CV and previous work history information.
|
For making decisions about your recruitment or appointment and determining the terms on which you may work for us.
|
In order to pursue our legitimate interests of hiring the most qualified and appropriate personnel.
|
Information about your citizenship and, where applicable, your work permit or residence details.
|
For determining that you are legally entitled to work in the country.
|
In order to comply with our legal obligations and to pursue our legitimate interests to ensure that you are eligible to work with us.
|
Information relating to any legal issues or disputes that may arise.
|
For dealing with legal claims or disputes involving you, or other employees, agents and contractors, including accidents at work.
|
In order to comply with our legal obligations and to pursue our legitimate interests of effectively managing our business operations and exercising and defending our legal rights.
|
Background information, including, to the extent permissible by applicable laws, credit checks and information of bad character or criminal behaviour.
|
For assessing the suitableness and ability of employees to safely and securely carry out a particular job, task or role within the company.
|
In order to pursue our legitimate interests of effectively managing the business and for the safety and security of our business, assets and workforce.
|
Health data such as information about your physical or mental health or disability status.
|
To administer and perform duties, including ascertaining your fitness to work and rehabilitation and providing appropriate workplace adjustments.
|
In order to ensure the performance of a contract to which you may become a party and to comply with our legal obligations. Insofar as we process special categories of personal data, it is necessary for carrying out our obligations in the field of employment.
|
- If you no longer want us to use your information
Making an application to us is entirely voluntary on your part, so by making an application you are expressly agreeing that we can use your information in order to decide whether to contact you, discuss employment possibilities with you, and/or offer you employment. If you do make an application but subsequently decide, before we make any decision, that you do not want us to use your information, you can let us know and we will stop using it (we may retain a copy on our files as described below). However, this means you will no longer be eligible for employment.
- Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
- Recipients of your personal data
We will, from time to time, send some of your personal data to certain recipients as detailed below:
- Other group companies: We may transfer your personal data to other CarGurus group companies for the legitimate interests of CarGurus, to the extent to which they need access to your data because they are involved in the recruitment processes in which you participate and to facilitate group HR management and group wide human resources planning and administration (including adequate staffing and in connection with management of the CarGurus group structure);
- Transfers to service providers: We may transfer your data to service providers assisting us in the development, performance and management of our recruitment process; and
- Transfers to third parties: CarGurus may transfer your personal data to other third parties in order to comply with our legal obligations and/or for the legitimate interests pursued by CarGurus.
We may also transfer or submit your personal data to a buyer / investor or potential buyer / investor in connection with a sale or other transfer of all or part of our shares, assets or business. The purpose of such processing is to allow for the sale or transfer and the legal basis for doing so is our legitimate interest in being able to manage our business by conducting such a sale or transfer. You can ask for further information in relation to recipients of your personal data though the ‘Contact us’ details below.
- International transfers
We will, from time to time, send some of your personal data to recipients based in countries located outside of the European Economic Area (“EEA”). As certain countries are not within the EEA, this may mean that such countries are not deemed to provide an adequate level of protection for your personal information. To ensure that your personal data receives an adequate level of protection we will put in place for any international transfers appropriate measures, as provided for under data protection laws, in order to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects applicable data protection laws. We transfer your personal data to the following countries outside the EEA:
Recipient
|
Country
|
Transfer Mechanism
|
CarGurus Inc.
|
USA
|
Model Contractual Clauses
|
- Data security
We have put in place appropriate security measures to protect your personal data, including measures preventing your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to only those employees, agents and contractors who are authorised to access your data.
- How long we retain your personal data
We will generally keep your information for no more than 12 months from our final interaction with you. If you are offered and accept employment with us, we may keep your data for longer, such as for the duration of your employment or for a further period as permitted or required by applicable law.
- Your rights
You have certain rights under data protection legislation as summarised below:
- Right of access: You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to request access to that data, as well as certain information on how we are processing such data.
- Right to rectification: You have the right to obtain from us the rectification of inaccurate personal data concerning you. Considering the purpose of the processing, you may also, in some cases, be entitled to supplemental information regarding incomplete personal data.
- Right to erasure (right to be forgotten): You may, in certain circumstances, have your personal data deleted, for example if your personal information is no longer necessary in relation to the purpose for which it was collected, if you have objected to the processing of personal data and we do not have a legitimate interest which outweighs your interest, if the personal data has been processed unlawfully, or if the personal data must be deleted to comply with a legal obligation.
- Right to restriction of processing: Generally speaking, in cases when it is unclear whether and when personal data will have to be deleted, you may exercise your right to restrict processing while CarGurus continues to store your personal data. That right can be exercised, for example when (i) the accuracy of the data in question is contested; (ii) the processing of personal data is unlawful but you do not want the data to be erased; (iii) the data is no longer needed for the original purpose but may not be deleted yet because of legal grounds; (iv) you have objected to processing pending verification as to whether our legitimate interests override your fundamental rights and freedoms.
- Right to data portability: In some circumstances, you may be entitled to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit those personal data to another controller.
- Right to object: You have the right to object to the processing of your personal data in certain circumstances, for example where the processing is based on our legitimate interest. If so, in order to continue processing, we must be able to show compelling legitimate grounds that override your interests, rights and freedoms.
Your rights will in each case be subject to the restrictions set out in applicable data protection laws. If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us using the details in the ‘Contact us’ section below.
If you have any grievance, issue or problem in respect of our handling or processing of your personal data in any way, you have the right to lodge a complaint to the applicable Data Protection Commission, whose contact details are as follows:
Ireland
|
Data Protection Commission
|
Telephone
|
1890 252 231
|
E-mail
|
info@dataprotection.ie
|
Address
|
Data Protection Commission, Canal House, Station Road, Portarlington
Co. Laois, R32 AP23
|
|
|
United Kingdom
|
Information Commissioner’s Office
|
Telephone
|
0303 123 1113
|
Website
|
https://ico.org.uk/
|
Address
|
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
|
|
|
- Additions and changes
We may make updates and amendments to this privacy notice. If we do, we will inform you in advance, by email or by message on our intranet, of any intended material changes taking effect and will also explain the likely impact of those changes. If such changes to this privacy notice are communicated to you, please read the updated privacy notice carefully.
- Contact us
In order to make a query, raise a concern, avail of your data protection rights or for any other reason related to this privacy notice, please contact us at legal@cargurus.com or privacy@cargurus.com.
This privacy notice applies with effect from December 21, 2018.
I have read and acknowledged the Candidate Privacy Notice: