Privacy Notice – CAPP Finity Tool

1. Introduction

This Privacy Notice is intended to describe the practices EY follows in relation to the CAPP Finity Tool (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Privacy Notice should be read together with the Privacy Statement, and in case of any conflict with the Privacy Statement, the terms of this Privacy Notice will prevail. Please read this Privacy Notice carefully.

2. Who manages the Tool?

“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can determine the purposes and means for data processing in its own right (i.e. act as a data controller or in a similar capacity).

The entity that is acting as data controller (or similar capacity) by providing this Tool on which your personal data will be processed and stored is:

  • For the personal data of EY personnel: The data controller is the EY entity which employs you.
  • For the personal data of third-party personnel (including EY clients): The data controller is the EY local member firm with which the third party has a relationship.

You can find a list of local EY member firms and affiliates on the Privacy Statement.

The personal data you provide in the Tool is shared by the above data controller with one or more member firms of EYG (see “Who can access your information” section below).

The Tool is hosted externally by the vendor or its third-party hosting provider in the Rackspace data centre (Greater London, UK).

3. How does the Tool process personal data?

The Tool assesses competencies and aptitude of candidates using a digital psychometric assessment based on game technology.

Your personal data processed in the Tool is used as follows:

Candidate response data is processed in the Tool using an algorithm. The resulting analysis is used as candidate identifiers in order to determine progression through the recruitment process. Progression is based entirely on assessment scores and not on demographic data.

EY relies on the following basis to legitimize the processing of your personal data in the Tool:

  • The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interest(s) pursued are as follows: Human Resource management, including performance reviews and recruitment.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the above legitimate interest(s).

The provision of your personal data to EY is optional. However, if you do not provide all or part of your personal data, we may be unable to carry out the purposes for processing.

4. What type of personal data is processed in the Tool?

The Tool processes these personal data categories: 

EY Personnel:

  • EY Recruiters
    • Full name
    • Email address
    • Audit logs relating to user login


  • Candidates
    • Full name
    • Email address
    • Assessment data
    • Audit logs relating to user login

This data is sourced from:

  • A feed from other EY Systems (GRMS – Taleo)
    • EY Recruiters
      • Full name
      • Email address
  • Provided directly by Candidates
    • Candidates
      • Full name
      • Email address
      • Assessment data

5. Sensitive Personal Data

Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.

It is possible that Sensitive Personal Data will be processed by the Tool as part of evaluations, but this is not collected by Tool as part of the recruitment process (e.g. ethnicity).

It is possible that reasonable adjustment requirements will be collected / processed by Tool in order to provide reasonable adjustments within the process as needed. This is simply a statement check box that a candidate requires reasonable adjustments. This would be considered to relate to a candidate’s health condition.

The Tool also processes personal data relating to personality. There is a possibility, in certain jurisdictions, that this may be classed as health data and therefore as sensitive personal data.  

6. Who can access your personal data?

Your personal data is accessed in the Tool by the following persons/teams:


  • EY Recruiters: EY Recruiters will have access to candidate assessment results for candidates in their respective countries. EY Recruiters can also gain access to a report for each candidate to obtain more details on their specific traits.
  • EY Local Recruitment Leadership (a subset of EY Recruiters) will have the same rights as the EY Recruiters, and elevated administrative rights that will allow them to modify recipient access rights.


  • Candidates: Candidates will be able to log in and view their results.
  • Vendor Personnel: Capp Software Engineers will have access to the data in the system on a global level.
  • Tata Consultancy Services (TCS) will access the Tool to investigate and resolve technical problems and help requests.
  • IBM will access the data to provide IT Support Services.
Role Location Purpose for which access is required Level of access rights (e.g. read-only, edit, delete)

EY Recruiters

Global  (depending on where it is deployed)

Assess candidates and obtain information on the prioritisation/scoring of candidates and any potential follow ups.

Read, edit, delete

Access rights restricted by country.

EY Local Recruitment Leadership

Global (depending on where it is deployed)

Assess candidates and obtain information on the prioritizsation/scoring of candidates and any potential follow ups.

Update profiles and access rights of EY Recruiters.

Update local country instance of the Tool as needed.

Read, edit, delete and administrative rights


Global (depending on where it is deployed)

View assessment results


Capp users


Maintenance and support

Read, write, edit, delete. Access to global data from UK location.

Tata Consultancy Services (TCS)

India and Mexico

Maintenance and support

Read, write, edit, delete. Access to global data from India and Mexico location.

IBM IT Support Team

Canada, China, Czech Republic, Hungary, India, Malaysia, Mexico, Oceania, Philippines, Poland, the UK, the US, Costa Rica and Australia

To provide IT support Services including the Digital Talent System Support Services to level 2 and 3 operational and release management.

The access to this tool will be given based on need and role. For Level 2 and Level 3 support, access will be provided to 40 (approx.) IBM IT support team members.

IBM IT Support Team will have read, update and add access.

EY access locations will be dependent on EY roll outs of the Tool.

EY Recruiters will only be able to see the data relevant to their locations. CAPP has full access to all data in the Tool.

The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations are listed at An overview of EY network entities providing services to external clients is accessible here (via UK site) (See Section 2 (About EY) - “View a list of EY member firms and affiliates”). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules.

We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.

To the extent that personal data has been rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy Notice will not apply.

For data collected in the European Economic Area (EEA) or which relates to individuals in the EEA, EY requires an appropriate transfer mechanism as necessary to comply with applicable law. The transfer of personal data to Tata Consultancy Services (TCS) and IBM are governed by contracts that includes standard data protection clauses adopted by the European Commission.

7. Data retention

Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “How does the Tool process personal data?” Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements

The policies and/or procedures for the retention of personal data in the Tool are:

Data retention is in accordance with EY Records Retention Global Policy and the applicable Global, Area, Region or Country Retention Schedule.

EY will define data retention according to local laws. It will apply the Taleo retention policy for this Tool.

Taleo retention policy: They currently have an automated data purge task in Taleo that removes/deletes all candidate files that meet purge criteria. The criteria is: no activity has taken place in the file for 3 years or the file does not include a hire.

Your personal data will be retained in compliance with privacy laws and regulations.

After the end of the data retention period, your personal data will be deleted. 

8. Security

EY protects the confidentiality and security of information it obtains in the course of its business. Access to such information is limited, and policies and procedures are in place that are designed to safeguard the information from loss, misuse and improper disclosure. Additional information regarding our approach to data protection and information security is available in our protecting your data 2018 (pdf) brochure.

9. Controlling your personal data

EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.

10. Your rights in relation to your personal data

Depending on the applicable jurisdiction, you may have certain rights in relation to your personal data, including:

  • To request details of the personal data EY processes about you and to access the personal data that EY processes about you
  • To have your personal data corrected, for example, if it is incomplete or incorrect
  • To restrict or object to the processing of personal data or request the erasure of your personal data
  • To receive a copy of the personal data which you have provided to EY in a structured, commonly used and machine-readable format which you can re-use for your own purposes (known as “data portability”)
  • Where you have provided consent to the processing of your personal data, the right to withdraw your consent.
  • The right to complain to a data protection authority (see section “Complaints”)

If you have any questions about how EY processes your personal data or your rights related to your personal data, please send an e-mail to data protection team.

11. Complaints

If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA,United Kingdom or via email at data protection team or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.

If you are not satisfied with how EY resolved your complaint, you may have the right to complain to your country’s data protection authority. You may also have the right to refer the matter to a court of competent jurisdiction. 

Certain EY member firms in countries outside the European Union (EU) and the UK have appointed representatives in the EU and the UK respectively to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) and/or the UK General Data Protection Regulation (UK GDPR) applies. Further information and the contact details of these representatives are available below:

EU data protection representative

UK Data protection representative

12. Contact us

If you have additional questions or concerns, contact your usual EY representative or email data protection team.