1. Introduction
1.1. What is the purpose of this document?
Lattice (“Lattice” or “we”) is committed to protecting your personal data and your privacy. We endeavor to ensure that any personal data we collect about you will be held and processed strictly in accordance with European and Californian data protection legislation, and applicable data protection legislation.
If you are resident in the EU, this will include the European General Data Protection Regulation (“GDPR”) or, if you are resident in a country that has adopted a local law to implement or adopt the GDPR such as the United Kingdom (together “GDPR Subjects”), the applicable local law implementing or adopting the GDPR (“Applicable Local Laws”). Please see the section “Additional Information for GDPR Subjects” below, for further information.
If you are a resident of California, this will include the California Consumer Privacy Act of 2018 (“CCPA”). Please see the section “Additional Information for California Consumers” below, for further information.
The terms Personal Data, Data Controller and processing have the meanings given to them in the GDPR (which can be accessed here), unless otherwise indicated.
When we refer to “personal data” in this Privacy Notice, we mean any information about you from which you can be identified. It does not include data where your identity has been removed (anonymous data).
The term CCPA refers to the Californian Consumer Privacy Act of 2018 which adds Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code of the State of California. “
Lattice has created this Job Candidate Privacy Notice to explain how and why we collect Personal Data about you (“Your Data”), what that data is, under what circumstances we may disclose or transfer it, and how long we store it for. It provides you with certain information that must be provided to you under the GDPR, CCPA and other applicable data protection legislation.
1.2. What does this Notice cover?
This Privacy Notice sets out information relating to the Personal Data we collect from or about you when you apply to work for us, whether as an employee, worker or contractor. It will apply when you submit your CV or an application form directly to us, through our online recruitment portal, https://lattice.com/careers, or where your CV or application form has been sent to us by a recruitment agent on your behalf.
1.3. How do I contact Lattice?
For the purposes of the GDPR and Applicable Local Laws, Lattice is the “data controller” of Your Data. This means that we are responsible for deciding how we hold and use Your Data.
If you have any queries regarding this notice or complaints about our use of Your Data, please contact us at [email protected] or at the address below and we will do our best to deal with your complaint or query as soon as possible.
Lattice
600 Battery St Floor 2
San Francisco, CA 94111
2. Information about our use of your data
2.1. The kind of information we hold about you
In connection with your application for work with us, we will collect, store, and use the following categories of Personal Data about you:
- The information you have provided to us in your online application, curriculum vitae and covering letter or email.
- Any information you provide to us during an interview.
This information is likely to include the following types of Personal Data:
- Name
- Email address
- Postal address
- Date of Birth
- Qualifications
- Experience
- Employment history
- Educational history
- Skills
We may also collect, store and use the following types of more sensitive personal information (known as “Special Category Data”), where this information is relevant to the role you are apply for and/or you choose to disclose it to us:
- Information about your race or ethnicity
- Information about your health, including any medical condition, health and sickness records.
- Information about criminal convictions and offences.
2.2. How is your personal information collected?
We collect personal information about you in a variety of ways. The majority of the information we collect will come directly from you in the following ways:
- Information you voluntarily upload to our careers/recruitment website;
- notes made by our recruitment team during a recruitment interview;
- information from official documentation you provide to us such as for background checks
Other details may be collected indirectly from the following sources:
- You, the candidate
- recruitment agencies
- your named references
- background check providers
- credit reference agencies
- third party platforms such as Indeed or LinkedIn, if these were used to apply for the role; and
- publicly available sources such as social media sites (to the extent necessary and relevant to the job role).
If you have submitted your application through our recruitment portal, Greenhouse, we may also link the data you provide to us with other publicly available information about you that you have published on the internet, including sources such as LinkedIn and other social media profiles.
2.3. How we will use information about you
We will use the personal information we collect about you to:
- Assess your skills, qualifications, and suitability for the role advertised.
- Carry out background and reference checks, where applicable.
- Communicate with you about the recruitment process.
- Keep records related to our hiring processes.
- Comply with legal or regulatory requirements, such as right to work checks.
Our legal basis for processing Your Data in this way is that it is necessary for our legitimate interests to decide whether to appoint you to the role, since it would be beneficial to our business to appoint someone suitable to that role. Where we are processing Your Data in order to comply with legal or regulatory requirements, our legal basis is that it is necessary for compliance with a legal obligation to which we are subject.
Further, we will process certain of your personal information to decide whether to enter into an employment contract with you.
Once you submit your CV and covering letter to us (or your recruitment agent provides them to us), we will process that information to decide whether you meet the basic requirements to be shortlisted for the role and, if so, invite you for an interview.
- A recruiter will review your application and either move you through process or reject you
- If moved through, the recruiter will reach out to schedule a call with a member of the recruiting team
- If that call goes well, there will be another call with the hiring manager
- In some cases, there is a take home assignment
- Following this, there is a round or 2 of onsite interviews
- After an onsite, the team will debrief
- If the debrief is positive, the recruiter will reach out to collect references
- Either after references are checked or while they are being checked the team will extend an offer
- Once a verbal offer is accepted a written offer will be sent
- Once the written offer is signed, a background check will be conducted
2.4. What happens if you fail to provide personal data
You are not obliged to provide us with Personal Data. However, if you decline to provide information when requested, and this information is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
2.5. How will we use particularly sensitive personal information
We will use your Special Category Data in the following ways, only with your consent:
- We will use information about your medical or disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.
- We will use information about your race or national or ethnic origin to ensure meaningful Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements.
Our legal basis for using your Special Category Data is consent. Providing U.S. Equal Opportunity Information and Self-Identification of Disability is completely voluntary.
2.6. How will we use information about criminal convictions?
If we decide to offer you the role, we may undertake checks to establish whether you have any criminal convictions. We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us.
2.7. Will you be subject to automated decision-making?
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
2.8. Will we share your data with third parties?
We will only share Your Data with the following third parties for the purposes of processing your application:
- Background check providers
- Candidate profiling service provider (if we ask you to undertake a candidate profile test)
- Our recruitment portal provider Greenhouse
- Contractors/consultants providing HR services to Lattice.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect Your Data in accordance with the law and in line with our policies. We do not allow our third-party service providers to use Your Data for their own purposes. We only permit them to process Your Data for specified purposes and in accordance with our instructions.
2.9. What data security do we have in place?
We have put in place appropriate security measures to prevent Your Data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to Your Data to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process Your Data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
2.10. How long will we use your data for
We will normally retain Your Data for as long as necessary to assess your candidacy for a position with Lattice,
Please note that, in certain circumstances, we may retain limited information about you for the period of time during which you are able to bring a discrimination claim under your local law. We retain the information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. We will only retain the minimum amount of Personal Data required in these circumstances and will securely delete all other Personal Data that we hold about you.
3. Additional information for GDPR subjects and California residents
3.1. EU privacy rights
Under the GDPR or Applicable Local Laws , you have certain rights with respect to your Personal Data, including those set forth below.
- right to request access – you may obtain confirmation from us as to whether or not Your Data is being processed and, where that is the case, access to Your Data;
- right to erasure – you have the right to obtain the erasure of Your Data without undue delay in certain circumstances
- right to data portability – you have the right to receive Your Data in a structured, commonly used and machine-readable format;
- right to withdraw consent – where you have provided your consent to us processing Your Data, you have the right to withdraw your consent at any time. This can be done by emailing (insert e-mail address) at any time;
- right to rectification – you have the right to obtain rectification of inaccurate personal data we hold concerning you;
- right to restriction of processing or to object to processing – you may require us to restrict the processing we carry out on Your Data in certain circumstances or to object to us processing Your Data;
- right to lodge a complaint – you may lodge a complaint with the supervisory authority in the EU Member State where you are resident or where you work. For further information on your rights, please see the supervisory authority of your country or EU Member State.
3.1.1. No fee usually required
You will not have to pay a fee to access Your Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
3.1.2. What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
3.1.3. Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
3.2. California privacy rights
California residents have the following rights with respect to their Personal Data:
- Right to request disclosure – You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
- Right to request deletion - You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request in certain circumstances as specified in the CCPA., such as because we need the data to comply with our legal obligations or because we or our service providers need it complete the transaction for which we collected the personal information.
We do not sell any Personal Data provided to us by job candidates. We use the information solely for the purposes of the recruitment process.
3.2.1. Background check providers
If you are applying for a role in our United States office, we use background check providers, Goodhire, local to those offices. It may, therefore, be necessary to transfer your data to third parties outside the EEA in these instances.
Whenever we transfer Your Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us if you want further information on the specific mechanism used by us when transferring Your Data out of the EEA.
