NETHERLANDS - Recruitment and Employment Data Privacy Notice

Protecting the privacy and security of your personal information is extremely important to us.  We want you to be clear on how your personal information is processed and how we comply with data protection laws.

This notice applies to prospective, current and former employees and, where relevant, to prospective, current and former contract workers, agency workers, consultants, interns and others whose personal information we hold in the context of a working relationship (or prospective working relationship) with Hiscox* across the Netherlands.

If you have any questions about this notice, please speak to your local People Function contact.

1. Introduction – about this Privacy Notice

This privacy notice does not form part of any contract of employment, or other contract to provide services.

Hiscox is committed to protecting your privacy. This notice tells you what personal information we collect, why we need it, how we use it in connection with the recruitment and on boarding processes and during and after your employment or engagement with us and what protections are in place to keep your personal information secure. It also sets out your rights in relation to your personal information.

It is important that you read this notice, and any information notice that we may subsequently provide to you, carefully so that you are aware of how and why we are processing your personal information.

We may update, or otherwise amend, this notice at any time and you will be notified of such amendments.

Hiscox act as data controller in respect of the personal information that we process about you. This means that we are responsible for deciding how we hold and use personal information about you.

We have appointed a Data Protection Officer to oversee Hiscox’s compliance with data protection laws. The contact details of the Data Protection Officer are [email protected].

If you have any questions about this notice, how we handle your personal information or you would like to update the information we hold about you, we would strongly encourage you to speak to your local People Function (formerly HR) contact in the first instance, but if you wish you can also contact the Data Protection Officer.

Our obligations in relation to processing your personal information are set out in this notice, and in our data protection policy and related procedures. The data protection policy can be found on the intranet. 

You also have responsibilities in relation to personal information, and must comply with our data protection policy, which includes:

  • taking appropriate steps to protect the security of personal information 
  • being careful about who personal information is disclosed to 
  • protecting your communications and devices 
  • following other business processes in relation to the handling of customers’ personal information

2. What personal information do we hold about you?

Your 'personal information' means any information about you from which you can be identified - either by reference to an identifier (e.g. your name, location data or online identifier (e.g. IP address)) or from factors specific to your physical, cultural or social identity (e.g. your social background, outside interests etc).

It does not include information where the identity has been removed (such as anonymous information).

Hiscox collect and use personal information that you provide as part of the recruitment and on-boarding processes or which we have received as part of background screening and vetting processes, as well as additional personal information that is collected in the course of your employment or engagement (e.g. for performance reviews). We primarily use this personal information for the recruitment process, to comply with contracts of employment, for managing the workforce and business purposes. 

The personal information about you that we may collect, store and use includes, but is not limited to, the following categories of information: 

  • General information such as your name, address, contact details (work and personal), date of birth, sex, marital status, dependents, next of kin and emergency contact information.
  • Recruitment information such as your right to work documentation, driving licence, references, employment records, salary and benefits history and other information included in a CV or covering letter or otherwise received by Hiscox as part of the application and on boarding process. 
  • Financial information, such as your bank account details, payroll records, tax status information and national insurance / public service number. 
  • Remuneration and benefits information, such as salary, pension, benefits and annual leave.
  • Current employment terms and employment records, such as start date, job title, workplace, working hours, attendance records, sick leave/ pay records, holiday and leave records, performance, disciplinary and grievance records, education and training records and professional memberships.
  • Images and recordings, such as CCTV footage, electronic records – e.g  Swipe card footage (where used), photographs, video images, voice recordings, information about your use of our IT and communications systems to the extent that this is required by law 
  • Information about family members (including dependents) for the purpose of providing benefits.

Please note that the type of personal information we collect about you will depend to some extent on your circumstances, your role and our legal obligations.

Certain 'special categories' of more sensitive personal information (such as information about racial/ ethnic origin, sexual orientation, political opinions, religious/ philosophical beliefs, trade union membership, biometric or genetic data and health data) are given a higher level of protection by data protection laws. 

The special categories of more sensitive personal information we may collect, store and use includes, but is not limited to, the following categories of information:

  • Collection or processing of medical information is not conducted by Hiscox Netherlands in accordance with local labours laws. Please speak with your People Function representative or the Privacy team for further information.
  • Information about your race or ethnicity via diversity and inclusiveness initiatives (DEI) may be requested from time to time. DEI initiatives will request information in an anonymised capacity via optional campaigns. 

The provision of your personal information is necessary to enter into an employment contract with Hiscox.

Where the personal information is processed to perform the employment contract or to comply with a legal obligation, its provision is mandatory. Failure to provide such personal information would cause the impossibility for Hiscox to enter into or to continue the employment contract with you, or at least to perform its main obligations under the employment agreement.

3. Where do we collect your personal information from?

We collect your personal information:

  • From you: we typically collect your personal information directly from you through the application and recruitment process.
  • From third parties: we may sometimes collect additional information from third parties including former employers, credit reference agencies, medical officers or other background check agencies and details of those third parties are available from your local People Function contact.  The categories of personal information we may collect, store and use from third parties includes, but is not limited to, the following categories of information:
  • References
  • Credit Check
  • Occupational health reports
  • Criminal record check results to the extent allowed by law

We will only seek this information in relation to successful candidates that have accepted a conditional offer of employment or engagement with us and we will specifically inform such candidates that we will be contacting these third parties in advance of doing so.

In the course of job-related activities: throughout the period you are working for us, we collect additional personal information about you, including from your line manager, other managers and colleagues (e.g. feedback on your performance as part of the PDR process).

4. How will we use your personal information?

We will only process your personal information when the law allows us to. In most cases, we will process your personal information where it is necessary:

 

  • Basis 1 – to take steps necessary to enter into an employment contract or working relationship with you or to perform the contract we have entered into with you for the purposes of employment or engagement (e.g. your bank details in order to pay you)
  • Basis 2 - to comply with a legal obligation (e.g. provision of tax information to a government department or regulatory body) 
  • Basis 3 - for our legitimate interests as a business and as an employer (or those of a third party). Where we rely on legitimate interests as the reason for processing personal information (e.g. to monitor diversity as part of ensuring diversity across the company), we have considered whether those interests are overridden by any separate rights or freedoms of our workforce and have concluded that they are not.

We may also process your personal information in the following circumstances, but this is likely to be rare:

  • with your specific consent
  • where we need to protect your interests (or someone else’s interests)

We need all the personal information referred to above in 2B. We process your personal information for a number of purposes including, but not limited to, the following. In relation to each, we have also identified the legal basis for processing your personal information by reference to each legal basis set out in 4A above:

  • Recruitment decisions and background checks conducted as part of the vetting process in connection with our recruiting and on boarding activities (1, 2 ,3
  • Checking your legal entitlement to work in the country (2)
  • Administering your employment contract (1, 2)
  • Payroll (1, 2)
  • Providing and facilitating benefits (1, 2)
  • Education, training and development requirements (1, 2)
  • Recording and managing attendance (1)
  • Performance and salary reviews and promotions (1)
  • Disciplinary and grievance processes (1)
  • Recording and managing sickness absence and other leave (1, 2)
  • Business management/ planning and risk compliance (1, 2, 3)
  • Health and safety compliance (1, 2)
  • Tax and regulatory authority compliance (2)
  • IT and communications monitoring, security and compliance (1)
  • Managing actual and potential legal disputes, including accidents at work (1, 2, 3)
  • Managing the termination of your employment (1, 2, 3)

Some of the grounds for processing will overlap, and in some cases, there will be several grounds which justify our use of your personal information.

We will only use your personal information for the purposes for which we collected it - unless we reasonably consider that we need to use it for another purpose that is compatible with the original purpose. 

If we need to use your personal information for an unrelated purpose, we will notify you and explain the basis upon which that is necessary.

We may process special categories of personal information when the law allows us to, which will be in the following situations:

  • Basis A - Where we need to do so to fulfil our legal obligations or exercise our rights in connection with employment (e.g. for making reasonable adjustments for individuals with a disability where this is required by law) 
  • Basis B - Where it is needed to assess your working capacity on health grounds (e.g. for an occupational health report), subject to appropriate confidentiality safeguards 
  • Basis C - Where it is necessary in order to establish, exercise or defend a legal claim 

    Where, in exceptional circumstances, it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent (e.g. in a medical emergency)

  • Basis D - With your explicit consent, where the processing is voluntary - this will only be in limited circumstances

'Special categories' of particularly sensitive personal information attract higher levels of protection, and we must have specific justification for collecting, storing and using this type of personal information. We process special category data relating to you for a number of purposes including, but not limited to, the following. In relation to each, we have also identified the legal basis for processing your personal information by reference to each legal basis set out in 4D above.

Where we process such data, we will use such data in the following ways:

  • Hiscox Self-ID provides individuals with the opportunity to voluntarily provide information relating to their race, ethnic origin, nationality, disability, gender identity or sexual orientation for the purposes of equal opportunities monitoring and in order to enhance its Diversity, Equity and Inclusion (DE&I) offering and better understand the effectiveness of its policies.  This information is processed for this purpose only with your consent (Basis D).

    Wherever possible, the monitoring will be conducted on the basis of using anonymised data so individuals cannot be identified.  The information processed for monitoring purposes will be maintained separately from general management and HR records.

We may process information about criminal convictions.  Given the nature of our business, we ask successful candidates who have accepted a conditional offer of employment or engagement to disclose their criminal record history and we carry out criminal record checks as part of our background vetting process and in compliance with our obligations in connection with employment or engagement (Basis A). 

In some cases we are required to carry out these checks (for example, for regulated roles); in all cases, we carry out the checks in accordance with the applicable law. 

For regulated roles, the criminal record checks may be repeated periodically during the course of employment or engagement in accordance with our regulatory obligations.

We will always treat criminal record history as confidential and it will only be shared internally where there is a specific and legitimate purpose to do so. We have implemented appropriate physical, technical, and organisational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure. 

Criminal record information will be deleted once the applicable checks have been completed, subject to any exceptional circumstances and/or to comply with particular laws or regulations.  Criminal record information will typically be retained for a maximum of 6 months, although the outcome of any check will remain on the individual’s record.

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to act in accordance with our regulatory and other legal obligations and is in accordance with our data protection policy. 

5. Do we need your consent?

There may be limited circumstances where the legal basis for processing your personal information as outlined at 4A and 4D does not apply.  In this case we will approach you to obtain your explicit consent to allow us to process certain particularly sensitive data, or other personal information. 

We will only seek and rely on your consent where you are fully informed and your consent can be freely given

We will provide you with full details of the information that we require and the reason we need it, so that you can carefully consider whether you wish to consent. 

If you do provide your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for that purpose.

If you wish to withdraw your consent, please speak to your local People Function contact in writing in the first instance, who will refer to the Data Protection Officer as needed.

6. What steps do we take to protect your data?

Hiscox has security measures in place to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, or inappropriately altered or disclosed. Where processing includes special categories of Personal Data, additional security measures including greater access controls are in place. In addition, we limit access to your personal information to those who need to process that information for business reasons. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected information security breach and will notify you and any applicable regulator of a suspected breach as appropriate and in accordance with our legal obligations.

7. Who do we share your personal information with?

Where this is relevant to their role, your line managers, certain People Function professionals, and in some cases certain colleagues (i.e. where necessary to fulfil business requirements) will have access to some of your personal information.

We may share your personal information with third parties, including third party service providers and other Hiscox Group companies in the following situations:

  • where required by law 
  • where it is necessary to administer the working relationship with you
  • where we have another legitimate interest in doing so, as a business and as your employer or prospective employer

In these circumstances, we require third parties to ensure the security of your personal information and to treat it in accordance with the law.

The terms of our contracts with third parties include obligations on them in relation to what personal information they can process and what they can do with that information. All our third party service providers, professional advisers and other entities in the Hiscox Group are required to take appropriate security measures to protect your personal information in line with our policies.

We may disclose your personal information to the third parties listed below where relevant to the purposes described in this notice. This might include:

  • other companies within the Group as part of our regular reporting activities on company performance, in the context of a business reorganisation or Group restructuring exercise, for system maintenance support and hosting of data
  • agents or contractors that provide services to us including, for example, payroll, pension administration, benefits provision and administration, IT services and background screening checks carried out as part of the recruitment process and any routine screening during the employment/working relationship
  • relevant tax bodies
  • visa and immigration authorities
  • regulatory authorities
  • professional advisers
  • medical officers, occupational health officers

Further details can be obtained from your local People Function contact.

Any questions or details required regarding pre-employment background screening checks should be directed to the Central People Operations Team [email protected] and/or the Group Data Protection Officer [email protected].

8. Which countries do we transfer data to?

Your personal information may be disclosed to members of the Hiscox Group outside of the EU or European Economic Area (EEA). Those countries (being the US and Bermuda) require additional protections to legitimise any data transfers, these are detailed in section B below. 

Certain suppliers and service providers may also have personnel or systems located outside the EU and EEA. Your personal information may therefore be transferred outside the EU to non-EEA countries, details of which are available from your local People Function contact if you would like further details.

Hiscox has an intra-Group data transfer agreement in place which regulates cross-border transfers of your personal information within the Group. Where required, Hiscox rely on the EU Standard Contractual Clauses within this agreement in order to legitimise this transfer of data. 

Where we share your personal data with third parties who are outside the EU or the EEA, we will take steps to ensure that your personal information receives an adequate level of protection, for example by, entering into the EU Standard Contractual Clauses.

You have a right to request further information relating to the transfer of your personal information and the safeguards in place. 

If you require further information about this, you can request it from your local People Function contact.

9. How long do we use your personal information for?

We will retain your personal information only for as long as is reasonably necessary to satisfy the purposes for which it was collected, and for the purposes of satisfying any legal, accounting or reporting and regulatory requirements. These legal and other requirements require us to retain certain records for a set period of time, including following the termination of your employment. In addition, we retain certain records in order to resolve queries and disputes that may arise from time to time.

When you are no longer an employee, we will retain and subsequently securely destroy your personal information in accordance with our Records Retention policy. If you would like further details about the Records Retention policy, please speak to your local People Function contact. 

We will typically retain personal data collected during the recruitment process in relation to an unsuccessful candidate for a maximum period of four weeks, or one year with your consent, from the end of the process subject to any exceptional circumstances and/or to comply with particular laws or regulations. 

We will typically retain personal data held in archived e-mails or other electronic files for seven years after cessation of employment for employees and four weeks, or once year with your consent, for unsuccessful candidates.

If you are offered and accept employment with Hiscox, the personal data we collected during the application and recruitment process will become part of your employment record and we may use it in connection with your employment in accordance with this Privacy Notice.

10. What are your rights and responsibilities?

Please ensure you inform us if your personal information changes while you are an employee or work with us as it is important that the personal information we hold about you is accurate and current. We also encourage you to monitor and update your personal information on Workday where appropriate.

Certain information has to be provided so that we can enter into a contract with you (e.g. your contact details, right to work in the country and payment details).  You also have some obligations under your contract to provide certain information to us (e.g. to report absences). Without this information, we may not be able to consider your suitability for employment or engagement or enter into an employment contract or working relationship with you or carry out the rights and obligations efficiently that arise as a result of the employment or working relationship.

In addition, you may have to provide us with information so that you can exercise your statutory rights (e.g. parental leave (where applicable)).  If you fail to provide the necessary information, this may mean you are unable to exercise your statutory rights.

You have a number of rights in relation to the personal information that we hold about you (subject to certain exemptions).

You have the following rights (subject to certain exemptions): 

  • to make a data subject access request: to obtain a copy of the personal information we hold about you
  • to ask us to correct inaccurate personal information, including the right to have any incomplete information about you made complete
  • to ask us to erase your personal data where it is no longer necessary in relation to the purposes for which it was collected
  • to ask to restrict the processing of your personal information where:
    • the accuracy of the personal data is contested - while steps are taken to correct or complete it or to verify the accuracy
    • the processing is unlawful but the erasure of the personal data is not appropriate
    • we no longer require the personal data for the purposes for which it was collected but it is required for the establishment, exercise or defence of a legal claim
  • to object to processing which we have justified on the basis of a legitimate interest - in which case the relevant processing will only continue where we have compelling legitimate grounds for processing your personal information
  • to object to any decisions based solely on automated decision making
  • to ask to obtain a portable copy of those parts of your personal data where we rely on consent or performance of the contract as the justification for processing, or to have a copy of that personal data transferred to a third-party controller 
  • to withdraw your consent to processing where, in rare circumstances, we have relied on your consent as the justification for processing your personal information 
  • to ask to obtain a copy of any data transfer agreement, or to access information about safeguards under which your personal data is transferred outside of the European Economic Area
  • to lodge a complaint with the appropriate supervisory authority. You have the right to raise any concerns about how your personal data is being processed with the National Commision for data protection, Commission Nationale pour la Protection des Données, by going to the website: https://cnpd.public.lu/fr.html or contacting them on (+352) 26 10 60 –1
  • you may also raise a complaint of concerns with the Autoriteit Persoonsgegevens, Dutch Data Protection Authority, by going to the website: https://autoriteitpersoonsgegevens.nl/ or contacting them on 088-1805250.

 

Subject access requests

There is generally no fee to access the personal information that we hold about you, however we may charge a reasonable fee if your request is clearly unfounded or excessive or if you request further copies of the same information.

Alternatively, we may refuse to comply with a request that is unfounded or excessive.

No automated decision-making is performed regarding your personal data.

Further information about your rights is available from your local People Function contact.

If you want to make one of these requests, please speak to your local People Function contact or contact the Data Protection Officer at [email protected]

*this will be the company which employs or engages you in the context of a working relationship, which will be:

  • in the Netherlands, Hiscox SA of Arent Janszoon Ernststraat 595B. 1082 LD Amsterdam