WHY DO WE HAVE THIS PRIVACY NOTICE?
We are Gymshark and treating individuals and their personal information with respect reflects our core values and the values of our brand(s). So we want you to know as much as possible about what we do with your personal information. Also you and your personal information are protected by various laws and guidance and Gymshark is committed to upholding these and respecting your privacy and keeping your information safe. So whilst this privacy notice is quite long, we want you to be fully informed. We hope you enjoy reading it and hopefully we look forward to welcoming you to the Gymshark family. Please note while you read it, that not all parts of this privacy notice may apply to you depending upon the nature of your role with us that you are applying for.
In this privacy notice any reference to "us", "we", "our" or "ourselves" is a reference to Gymshark, and the particular part of the Gymshark group that you work for and any reference to "you", "your" and "yourself" is a reference to you as an applicant to become one of our staff or to start working for us.
This privacy notice applies to all current and past applicants for positions to work for Gymshark. You may be applying to work for us as one of our staff as an employee, director, temporary worker or consultant. This privacy notice provides details in accordance with data protection laws about how we collect and use personal information about you during and after our recruitment process.
Please note that we have a separate privacy notice that relates to personal information captured by our CCTV and Access Control systems. A copy can be found at www.gymshark.com/pages/gymshark-privacy-notice. We have a separate privacy notice that applies to our customers and potential customers, a copy of which can be found at www.gymshark.com/pages/gymshark-privacy-notice so this will apply if you purchase products from us, use our Gymshark app(s), add yourself to our marketing database, enter any of our promotions/competitions, apply to attend any of our events or you have an unpaid active social media relationship with us. Finally we have a separate Rest of the World privacy notice that applies to any other individual that may interact with us, a copy of which can be found at www.gymshark.com/pages/gymshark-privacy-notice and this covers everyone else including influencers or athletes who have a business relationship with us. This privacy notice does not apply to you therefore to the extent you are an athlete or influencer that we work with or applies to work with us. You should also read these privacy notices to the extent that they will apply to your activities as they may apply to you in addition to this privacy notice.
We also have a separate privacy notice that will apply to you if you are successful in your application to work for us, and we will provide that to you once you are successful in your application as part of your joining process.
THE CONTROLLER OF YOUR PERSONAL INFORMATION
For the purposes of data protection laws and this privacy notice, whichever part of the Gymshark group is processing your personal information is the controller of your personal information for that processing of your personal information. This will usually be the part of the Gymshark group that you are applying to work for. Being a controller of your personal information means that we are responsible for deciding how we hold and use your personal information. Our main trading entity is Gymshark Limited (Reg No 08130873) which is incorporated in England and Wales. If you are based in the UK then this company will be the controller of your personal information. If you are based outside of the UK then the controller of your personal information will be the part of our group that you apply to work for. Sometimes we may pass personal information to different parts of our group, so this privacy notice covers our whole group and more than one part of our group may be a controller of your personal information. However regardless of where you are based and regardless of which part of our group may be a controller of your personal information, any queries you have regarding your personal information will be dealt with by Gymshark Limited, which can be contacted at email@example.com.
YOUR DUTY TO INFORM US OF CHANGES
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period of your application to work for us. We may also hold your records on file for future positions even if you are unsuccessful in your initial application to join us, so again ideally please update us with any changes.
WHAT IF YOU DO NOT PROVIDE PERSONAL INFORMATION?
Failing to provide some of the personal information we require may mean that your application to join us will not be successful and we are unable to consider you for the position you are applying for.
Certain information, such as contact details, your right to work in the UK and payment details, must be provided to enable us to enter into a working relationship with you.
IF YOU HAVE QUERIES OR CONCERNS JUST ASK!
We have appointed a data protection officer (DPO) to oversee our compliance with the data protection laws. If you have any questions about this privacy notice or how we handle your personal information, please contact our DPO at firstname.lastname@example.org.
CHANGES TO THIS NOTICE
We keep our privacy notice under regular review and we may update this privacy notice at any time. The current version of this notice is available via our Applicant Tracking System (ATS) or by requesting a copy from email@example.com. If there are any material changes to this privacy notice in the future we will let you know, usually by updating the version on our website.
DATA PROTECTION PRINCIPLES
We are committed to being transparent about how we collect and use your personal information and in meeting our data protection obligations. Data protection laws say that the personal information we hold about you must be:
To make sure this happens we are required under data protection laws to notify you of the information contained in this privacy notice. It is important that you read this document before you make your application to join us so that you understand how and why we will process your personal information.
WHAT PERSONAL INFORMATION DO WE COLLECT?
In connection with your application to work with us, we may collect and process a wide range of personal information about you. This includes:
We may also collect and process more sensitive special category personal information including:
If you are providing us with details of referees they have a right to know and to be aware of what personal information we hold about them, how we collect it and how we use and may share that information. Please share this privacy notice with them. They also have the same rights as set out in this privacy notice in relation to their personal information that we collect.
WHERE DO WE COLLECT YOUR PERSONAL INFORMATION FROM?
Gymshark collects your personal information in a variety of ways and from a variety of sources as set out below:
We store personal information relating to you in a range of different places, but mainly in our people management systems and in other information technology systems (including our email system).
WHAT ARE OUR BASES FOR PROCESSING YOUR PERSONAL INFORMATION?
We will only use your personal information when the law allows us to. This means we must have one or more legal bases to use your personal information. Most of these will be self-explanatory. The most common legal bases which will apply to our use of your personal information are set out below:
Where we are processing any sensitive special category personal information about you (for example personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, , data concerning health or data concerning a natural person’s sex life or sexual orientation) we also need to have one or more of the following legal bases for using your personal information.
We will not process all types of special category personal information about you, and in cases where we do process special category personal information about you it will generally be to comply with legal obligations, where you have given your consent or to establish, exercising or defending legal claims. In some cases more than one legal bases may apply to our use of your personal information.
HOW WILL WE USE YOUR PERSONAL INFORMATION?
There are many ways we will need to use your personal information during the application process with us. We have set out the main uses below, and indicated the main applicable legal bases of processing, but there may be other specific uses which are linked to or covered by the uses below.
CHANGE OF PURPOSE
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. Our main purpose is to collect personal information about you to decide whether to recruit you now or in the future to join our workforce. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. We will rarely need to rely on your consent to process any of your personal information.
Automated decision-making takes place when an electronic system uses personal information to make a decision about that person without any human intervention. We do not currently use automated decision making in our business in relation to applications to join our workforce.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision making unless we have a lawful basis for doing so and we have notified you.
WHO HAS INTERNAL ACCESS TO YOUR PERSONAL INFORMATION?
Your personal information may be shared internally, including with members of the People and Talent (recruitment) teams, managers and senior staff in the business area involved in your recruitment, the technology or legal teams where access to your personal information is necessary for the performance of their roles. We only provide access to your personal information to those of our staff who need to have access to your personal information.
WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH EXTERNALLY?
When using your personal information we may share it with third parties, but we will only do so when it is appropriate and we have a legal basis for doing so. Third parties that we may share your personal information with include:
It is sometimes necessary to share your personal information outside of the UK and the European Economic Area (the EEA) or it will be collected outside of the UK and the EEA. This will typically occur when service providers to our business are located outside the EEA or if you are based outside the EEA. These transfers are subject to special rules under data protection laws.
The same applies to any transfer of personal information to another part of our group of companies based outside of the UK and the EEA. We also apply the same standards to any transfer of personal information between members of our group, regardless of where the group company is based.
If we transfer your personal information outside of the UK and the EEA, we will ensure that the transfer will be compliant with data protection laws and all personal information will be secure. Our standard practice is to assess the laws and practices of the destination country and relevant service provider and the security measures that are to be taken as regards the personal Information in the overseas location; alternatively, we use standard data protection clauses. This means that when a transfer such as this takes place, you can expect a similar degree of protection in respect of your personal information.
Our directors and other key staff working for us may in limited circumstances access personal information from outside of the UK and EEA if they are on holiday abroad outside of the UK or EEA. If they do so they will be using our security measures and the same legal protections will apply that would apply to accessing personal information from our premises.
In limited circumstances the people to whom we may disclose personal information may be located outside of the UK and EEA and we will not have an existing relationship with them, for example a foreign police force. In these cases we will impose any legally required protections to the personal information as required by law before it is disclosed.
If you would like any more details about how we protect your personal information in relation to international transfers then please contact our DPO at firstname.lastname@example.org.
HOW DO WE PROTECT YOUR PERSONAL INFORMATION?
We are committed to keeping your personal information safe and secure and so we have numerous security measures in place to protect against the loss, misuse, and alteration of information under our control. We will always aim to use best in class security systems implemented across our networks and hardware to ensure access and information are protected. Our security measures include:
We take information security very seriously and will use all reasonable endeavours to protect the integrity and security of the personal information we collect about you.
FOR HOW LONG DO WE KEEP YOUR PERSONAL INFORMATION?
We will hold your personal information for the duration of your application process to join us and, if your application is unfortunately unsuccessful, for a further period of up to 3 years after our decision not to take you on. We may, during that period, contact you again to check whether you would still like us to keep you on file for any future positions that may become available and contact you about them if we think you may be suitable for the role. However in some cases we may need to keep your personal information for longer, for example if it is still relevant to a dispute or legal case or claim.
We will not retain your personal information for longer than necessary for the purposes for which it was collected and for which it is being used. We do not guarantee to retain your personal information for the whole of the periods set out above, they are usually the maximum period.
For more information please see our Data Retention Policy which can be obtained from our DPO at email@example.com.
As an individual whose personal information we collect and process, you have a number of rights. You may:
You should note that some of these rights, for example the right to require us to transfer your personal information to another service provider or the right to object to automated decision making, may not always apply as they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us. For example we do not use automated decision making in relation to your personal information. However, some have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.
If you would like to exercise any of these rights, please contact our DPO at firstname.lastname@example.org.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person or dealt with by a person who has no right to do so.
Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a complex area of law. More information about your legal rights can be found on the ICO’s website at https://ico.org.uk/for-the-public/.
We hope you don’t have any reason to complain, and we will always try to resolve any issues you have, but you always have the right to make a complaint at any time to the ICO if you are based in the UK about how we deal with your personal information or your rights in relation to your personal information. If you are based outside of the UK you may have the right to complain to your local data protection regulator.
You can make a compliant in writing to the ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom or you can go to https://ico.org.uk/make-a-complaint/.
If you have any queries regarding our use of your personal information or this privacy notice then please contact our DPO at email@example.com or write to DPO, Gymshark, GSHQ, Blythe Valley Park, 3 Central boulevard, Solihull, B90 8AB, United Kingdom. You can use these details regardless of which of our group companies you are applying to work for.