Recruitment Privacy Notice

Last updated: 28 May 2020

  • Quick links
  • Please read this Privacy Notice in full to ensure that you are fully informed. If you only want to access a particular section of this Privacy Notice then you can click on the relevant link below to jump to that section:
  • 1. What is the purpose of this document?
  • 1.1 dunnhumby Limited (referred to in this Privacy Notice as “we“, “our” or “us”) is a “data controller”. This means that we are responsible for deciding how we hold and use data relating to you (“personal data“). You are being provided with a copy of this Privacy Notice because you are applying for work with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) and other relevant privacy laws.
  • 1.2 In some of the more detailed sections below you will see a small summary box which will give you an overview of what that section contains. We do encourage you to read each section in detail.
  • 1.3 Our recruitment processes are not intended for children, and we do not knowingly collect data relating to children. When we refer to children we are referring to persons under the age of 16.
  • 1.4 Please note that where you are successful in your application, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. How we use such information during your employment will be provided to you in a separate employment privacy notice.
  • 2. When do we collect personal data?
  • This section explains the various ways in which we collect information about you as you proceed through our recruitment process. It also sets out what other potential sources we may use to gather information about you.
  • 2.1 We collect personal data about our candidates from the following sources:
    • 2.1.1 you, the candidate;
    • 2.1.2 your recruitment agent;
    • 2.1.3 our background check provider;
    • 2.1.4 in respect of criminal convictions:
      • for all US applications, though our third-party provider;
      • for applications for finance positions in the UK, through the Disclosure and Barring Service;
    • 2.1.5 our third-party recruitment system providers involved in the recruitment process (e.g. Cubiks where you are required to undergo an online video based interview),
    • 2.1.6 KPMG (our IR35 assessment providers);
    • 2.1.7 for Brazilian applicants we will receive personal data about you from our third party medical and drugs screening services provider;
    • 2.1.8 for US applicants we will receive personal data about you from our third-party drug screening services provider and our employment reference check services provider;
    • 2.1.9 for German applicants we will receive personal data about you from our Works Council based in Berlin who have a statutory right to review your application;
    • 2.1.10 your named referees;
    • 2.1.11 third party providers of publicly accessible sources such as LinkedIn; and
    • 2.1.12 our talent assessment provider (Cubiks) whose platform we use to carry out some of the assessments which are part of our recruitment process. We may refer you to Cubiks to complete online tests that assess certain behavioural or cognitive skills which are relevant to the role you have applied for.
  • 3. What personal data do we collect?
  • This section covers what types of personal data we collect. Most of the personal data we collect will either be provided by you voluntarily or will be collected from third parties such as your referees/references, our service providers or professional social media channels such as LinkedIn.
  • 3.1 In connection with your application, we will collect, store, and use the following categories of personal data about you:
    • 3.1.1 Identity Data: your name, title, date of birth, passport/visa details and gender;
    • 3.1.2 Contact Data: your address, email address and phone number;
    • 3.1.3 Application Data: the information you have provided on our online application form or upon registering with our talent assessment provider Cubiks, including education and employment history, qualifications, a copy of your CV, information about your current level of remuneration (including benefit entitlements);
    • 3.1.4 Interview Data: any information you provide to us during an interview, including where such interview takes place via our virtual platform provided by Cubiks through which you record and submit your interview videos;
    • 3.1.5 Assessment Data: any information you provide in the course of or resulting from any assessment which is part of our recruitment process, including the assessments carried out by our third-party service provider Cubiks. Assessment Data includes, for example, your answers to a questionnaire or a score or result rating your performance in an assessment. With respect to the Cubiks’ assessments, we will receive from Cubiks the assessments results but we will not receive or access your answers to the specific assessment questions.
    • 3.1.6 Background Data: any information we may obtain about your background including information obtained from your references/referees, information obtained from public sources such as LinkedIn and any checks we undertake to confirm your academic qualifications;
    • 3.1.7 Corporate Data: if you are applying for a role with us through a corporate entity or through an agency, information relating to those corporate entities or agencies.
  • 3.2 We may also collect, store and use the following special categories of personal data (“Sensitive Data”):
    • 3.2.1 Information about your race or ethnicity or religious beliefs;
    • 3.2.2 Information about your health, including any medical or disability information;
    • 3.2.3 Information regarding your performance against our drugs screening test (where appropriate for US and Brazilian applicants);
    • 3.2.4 Information about criminal convictions and offences.
  • 3.3 If you undertake part of the recruitment assessments via our talent assessment provider Cubiks, Cubiks may ask you to provide some non-mandatory personal data or Sensitive Data upon registering to use its online platform. You do not have to provide this data if you do not wish to, as this data is not necessary for our recruitment purposes.
  • 3.4 If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a CV or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
  • 4. How we use personal data and our legal bases for processing it
  • This section sets out how we use your personal data and our legal bases for such usage.
  • 4.1 We will use personal data about you during the application and recruitment process (and perhaps after such process has been completed) in different ways. Most commonly, we will use your personal data in the following circumstances:
    • Purpose/Activity Categories of personal data used (as described at section 3) Lawful basis for use
      1. To make reasonable adjustments to our recruitment process to accommodate any disability that you may have.
      • Identity Data
      • Contact Data
      • Sensitive Data
      • To promote equality and fairness in our recruitment process, we may need to process your Sensitive Data relating to any disabilities which you disclose to us in order to make reasonable adjustments to the recruitment process. For this purpose, we may also need to share Sensitive Data with our talent assessment provider Cubiks. We will do so only where it is necessary to facilitate or enable your participation in the Cubiks’ assessments.
      • We believe that such use of personal data is necessary to comply with our legal obligations as an employer, in relation to equal opportunity.
      1. To assess your suitability for the role which you applied for.
      • Identity Data
      • Contact Data
      • Application Data
      • Interview Data
      • Assessment Data
      • Sensitive Data
      • We will need to review and assess the information you provide to us or which we obtain about you for the purposes of determining whether you are the right person for the role for which you have applied. We believe that such use is within our legitimate business interest.
      • In limited circumstances we will make a fully automated decision about your recruitment. We have explained when this happens, and our legal bases in section 5 below.
      1. To establish your right to work in a particular country.
      • Identity Data
      • Contact Data
      • In order to offer you a role we will need to establish whether you are legally permitted to work in the jurisdiction in which the role is situated. We believe that such use us within in compliance with our legal obligation as an employer to employ only those persons who are eligible to work within the relevant jurisdiction.
      1. To undertake work related background checks by contacting your referees/references.
      • Identity Data
      • Contact Data
      • Application Data
      • In order to ensure that the information relating to your previous work experience is correct and to potentially obtain information relating to your character, we will contact those persons who you nominate as your reference/referee. We believe that such use is within our legitimate business interest.
      1. To undertake background checks relating to criminal activity.
      • Identity Data
      • Sensitive Data
      • To check your suitability for a particular role we may need to perform criminal records checks against you. However, we will only do this where we have your consent to do so, or where it is a legal requirement for us to do so based on the role for which you have applied.
      • Please note that we only undertake such checks if:
        • You are applying for a finance role in the UK; or
        • Applying for any role in the US.
      1. To comply with our legal obligation to promote equal opportunities in the work place in respect of ethnicity, race, religion and health conditions.
      • Identity Data
      • Sensitive Data
      • To ensure that our business remains an equal opportunities employer, we may need to record your information relating to ethnicity, race, religion and health conditions.
      • We believe that such use of personal data is necessary to comply with our legal obligations as an employer, in relation to equal opportunity.
      1. If you are unsuccessful in the application process, to contact you with future vacancies that we believe may be of interest to you.
      • Identity Data
      • Contact Data
      • To contact you about future vacancies for roles we believe you are suitable for if you are unsuccessful in your current application process. We believe that such use is necessary for our legitimate business interests.
      1. If you are unsuccessful in the application process and you apply for a new role with us within 12 months, to assess your suitability for such new role.
      • Assessment Data
      • We will re-use the results of the assessments you undertook with Cubiks in the previous 12 months, if we consider such assessments relevant for the new role you have applied for. We believe that such use is within our legitimate business interest.
      1. If you are successful in the application process, to “onboard” you onto our systems.
      • Identity Data
      • Contact Data
      • Application Data
      • Interview Data
      • Assessment Data
      • To collect the details you provide and to ensure that your details are “onboarded” into our central first party an third party interests. We believe that such use is necessary both for our contract with you (e.g. payment details in order to pay you in the future, and to set you up within our systems in order to allow you to start your new role), and for our legitimate business interest.
      1. To assess whether your appointment would constitute holding a position as a contractor or an employee for tax purposes
      • Identity Data
      • In order to ensure we are complying with relevant tax laws it is necessary to determine whether your proposed working arrangements would classify you as a contractor or an employee of the company for the purposes of such tax laws. We believe that such use is necessary for the purpose of complying with our tax related legal obligations.
  • 5. Automated decision-making (including our legal bases and your rights)
  • This section sets out when we undertake fully automated decision making about you, our legal bases and your rights with respect to such decision-making.
  • 5.1 In some limited circumstances (see sections 5.3 to 5.5 below), we will make a decision about you (i.e. a decision not to offer a job to you) which is fully automated in the sense that it is not taken on the basis of any human assessment or evaluation.
  • 5.2 When you undertake part of the recruitment assessments with our third-party service provider Cubiks, Cubiks will evaluate your responses to the Cubiks’ assessments in a fully automated way (i.e. by means of the Cubiks’ algorithm). However, the Cubiks’ assessment results will usually form part of our overall assessment and we will evaluate them together with other factors (such as your CV or other assessments or interviews) which we do not carry out on a fully automated basis. Therefore, in such cases our decision-making will not be fully automated.
  • 5.3 Depending on the specific recruitment process, in some cases we may shortlist candidates solely on the basis of the results from the Cubiks assessments. In this case, if your Cubiks results are below our pass threshold we will not progress you further in the recruitment process. In this specific case, our use of your Assessment Data is not based on any human evaluation or assessment (“fully automated decision-making“). We have set out below our legal bases and your rights in relation to our automated decision-making in such circumstances.
  • 5.4 We believe that fully automated decision-making is necessary where we are processing a high volume of applications for a particular position or programme. In particular, the fully automated decision-making is necessary in order to shortlist candidates with the intention of ultimately entering into an employment contract with the successful candidate(s) (pre-contractual necessity).
  • 5.5 In some limited circumstances where we do not receive a high volume of applications, our fully automated decision-making will be based on your consent. In these circumstances, if you change your mind, you can withdraw your consent by emailing us at If you do not consent or you withdraw your consent, this means that you do not want us to use your Cubiks results.
  • 5.6 We have provided further details on how we use your Cubiks’ assessment results, and how we ensure that our fully automated decision making is fair in our Candidate Assessment Policy that you will receive from us.
  • 5.7 Where we undertake fully automated decision-making you can let us know your views or objections and ask us to explain how it works, and request we review the decision by emailing us at
  • 6. Who does dunnhumby share my personal data with?
  • From time to time, we might need to share, or allow third parties access to your personal data. We only do this when we are legally permitted to do so.
    A list of those third parties who may be granted access to your personal data are as set out below, along with the reasons(s) for such access.
  • 6.1 During the recruitment process, we may be required to share your personal data with the following persons/parties:
    • 6.1.1 your personal data will be shared internally for the purposes of the recruitment exercise. This includes members of our HR and recruitment team and the interviewers involved in the recruitment process (as necessary);
    • 6.1.2 if you are applying for a role within our Berlin office, we have a statutory obligation to share certain personal data with our Works Council established in Germany;
    • 6.1.3 if you are successful, we may be required to share this news with our third-party recruitment agents to comply with our contract with them;
    • 6.1.4 if you are successful, we will share your Identity Data, Contact Data and Application Data with our third-party tax advisors who, through their software system, will make a determination as to whether your proposed working arrangements would classify you as a contractor or an employee under the relevant tax laws;
    • 6.1.5 if you are successful, your personal data will be “onboarded” onto our internal HR systems using recruitment software which is provide and hosted by third-party software providers such as “Enboarder”. The personal data shared with Enboarder will include you Identity Data, Contact Data, Application Data, Financial Data and Corporate Data;
    • 6.1.6 your Identity Data, Contact Data, Application Data may also be shared with our third-party recruitment software providers for the purpose of facilitating and completing the recruitment process;
    • 6.1.7 as stated in section 4, we may need to share some of your personal data with our criminal records check partners for the purpose of undertaking the relevant background checks. This will include the sharing of your Identity Data, Contact Data. You may then be asked to provide directly to the criminal records check partner certain Sensitive Data related to any past offences;
    • 6.1.8 we will contact your nominated individuals to follow up on any references we require; and
    • 6.1.9 when you undertake part of our recruitment assessments and/or a video interview via our talent assessment provider Cubiks, we will have to share your Identity Data and Contact Data (as appropriate) with Cubiks to enable Cubiks to initiate your registration with them.
  • 6.2 Except for the third parties we share your data with as stated above, we do not share (or sell) your personal data.
  • 7. How does dunnhumby keep my personal data secure?
  • 7.1 We use appropriate technical and organisational measures to protect the information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to risk of processing your personal data.
  • 7.2 Specific measures we may use include:
    • 7.2.1 applying encryption methods to your personal data when we store it on our internal database and/or when we need to transfer it to a third party (or internally);
    • 7.2.2 ensuring we have appropriate firewalls in place;
    • 7.2.3 providing data protection training to our staff;
    • 7.2.4 regularly monitoring our systems for possible vulnerabilities and attacks, and carrying out penetration testing to identify ways to further strengthen security;
    • 7.2.5 asking for proof of identity (where appropriate) before we share your personal data with you;
    • 7.2.6 requiring staff to comply with data protection policies; and
    • 7.2.7 restricting access to personal data on a need-to-know basis.
  • 8. International data transfers
  • To achieve the purposes set out in section 4 above, it may be necessary for us to provide your personal data to parties which may be located outside of your jurisdiction (i.e. the country in which you live).
    This section identifies those countries in which the various third-party recipients of your personal data are located, and explains how we comply with our relevant legal obligations.
  • 8.1 The servers (either as standalone storage, or as a result of the third-party software tools/services we use) we use to store personal data during the recruitment process and afterwards will be based in the UK, EU, Australia, Singapore and the US.
  • 8.2 As part of the recruitment process, we may need to transfer your personal data to our colleagues whose relevant group company is based in a country outside of that in which you originally submitted your information. These countries may have data protection and privacy laws that are different to the laws of your country and, in some cases, may not be as protective.
  • 8.3 However, we take appropriate safeguards to require that personal data will remain protected in accordance with this Privacy Notice. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal data between our group companies, which require all group companies to protect personal data they process from the EEA in accordance with European Union data protection and privacy law.
  • 8.4 Our Standard Contractual Clauses can be provided on request. We have implemented similar appropriate safeguards with our third-party service providers and partners and further details can be provided upon request by contacting
  • 9. Data retention
  • We have a legal obligation not to retain personal data for longer than is necessary. The period of such retention may vary depending on the purposes for which we collected personal data.
    This section explains the length of time we will retain your personal data for, or where it is not possible, the considerations we will take into account when determining the relevant retention period.
  • 9.1 If you are unsuccessful in the application process, we will retain your personal data for a period of 12 months after we have communicated to you our decision to not hire you. We retain your personal data for that period:
    1. so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way; and
    2. to write to you with details of any other vacancies which may arise in the future which we feel you might be interested in.
  • 9.2 We will write to you every 12 months to confirm whether you wish to continue to hear from us about future job opportunities. If you decline to receive such further information or fail to respond to our request for consent, we will securely destroy your personal data in accordance with applicable laws and regulations.
  • 9.3 If you are successful in the application process and you start working with us, we will retain your personal data in accordance with section 1.4 and section 4.1(i) of this Privacy Notice.
  • 10. Rights of access, correction, erasure, and restriction
  • Depending on the circumstances in which your personal data was collected and/or is being used, the law grants you certain rights which you can exercise.
    This section explains what those rights may be and how you can exercise them.
  • 10.1 Under certain circumstances, by law you have the right to:
    • 10.1.1 You have the right to access, correct, update or request deletion of your personal data, object to our processing of your personal data, restrict our processing of your personal data, or request portability of your personal data. If you wish to do any of those things, please contact us at
    • 10.1.2 Similarly, if we have collected and process personal data with your consent (see the table set out in section 4 about when we rely on your consent), you can withdraw your consent at any time by contacting us at Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal. It also will not prevent us from continuing to process the personal data we have collected from you without consent (e.g. where we collected it in accordance with our legitimate business interest). See section 4 for further information.
    • 10.1.3 You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please contact your local authority. (Contact details for authorities in the UK, European Economic Area, Switzerland and certain non-European countries (including the US and Canada) can be found by clicking these links).
  • 10.2 We respond to all requests we receive from individuals wishing to exercise their rights in accordance with the law. When making a request, we may ask you to verify your identity (e.g. by providing a copy of suitable identification. Please provide any reference number for the job application you applied for, and describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.
    • 10.2.1 You can also exercise your rights above by calling our head office at +44 20 3986 5499.
    • 10.2.2 You will not receive discriminatory treatment if you choose to exercise any of your rights.
  • 11. Updates to this Privacy Notice
  • 11.1 We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make. We will obtain your consent to any material Privacy Notice changes if and where this is required by law.
  • 11.2 You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice.
  • 12. How to contact us
  • 12.1 If you have any questions or concerns about our use of your information, please contact our Data Protection Officer using the following details: The data controller of your information is dunnhumby Limited.
  • 12.2 You also have the right to lodge any complaints or concerns with your local data protection authority (DPA). You can find a list of the European DPAs here.