Web Privacy Policy – Yello Recruitment Site

July 2022

1. Introduction

This Privacy Notice is intended to describe the practices EY follows in relation to the Yello (“Tool”) with respect to the privacy of all individuals whose personal data is processed and stored in the Tool. This Privacy Notice should be read together with the ey.com Privacy Statement, and in case of any conflict with the ey.com Privacy Statement, the terms of this Privacy Notice will prevail. Please read this Privacy Notice carefully. 

2. Who manages the Tool?

“EY” refers to one or more of the member firms of Ernst & Young Global Limited (“EYG”), each of which is a separate legal entity and can determine the purposes and means for data processing in its own right (i.e. act as a data controller or in a similar capacity).

The entity that is acting as data controller (or similar capacity) by providing this Tool on which your personal data will be processed and stored is:

  • For the personal data of EY personnel: The data controller is the EY entity which employs you.
  • For the personal data of third party personnel (including EY clients): The data controller is the EY local member firm with which the third party has a relationship.

You can find a list of local EY member firms and affiliates on the ey.com Privacy Statement.

The personal data in the Tool is shared by the above data controller with one or more member firms of EYG (see “Who can access your personal data” section 6 below).

The Tool is hosted on Amazon Web Services servers in Ireland and Frankfurt.

3. How does the Tool process personal data? 

The Tool is a cloud-based system which will facilitate better support by EY Talent Teams to the business and support EY’s campus recruiting efforts. The Tool has two functionalities: (i) to act as a recruiting tool for the submission of job applications; and (ii) to act as a pool of applicants for job roles.

If you are a Candidate or Applicant, your personal data is processed in the Tool is used as follows: 

  • Account creation;
  • Logging into Yello;
  • Sending invitations for, and managing, campus events;
  • Submission of job applications;
  • Conduct of digital interviews;
  • Assessment of job applications;
  • Managing candidate nurturing and communication (for example, marketing emails in respect of those candidates/applicants who have opted into the talent pool);
  • Selection of successful candidates for hiring;
  • Scheduling interviews; and
  • Providing updates after interviews.

EY relies on the following basis to legitimize the processing of your personal data in the Tool:

For Non- Sensitive Personal data - Processing of your personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interest(s) are:

  • Human Resource management, including performance reviews and recruitment; and
  • Success of EY’s recruiting practices, including sourcing, Recruiting, Selection and Hiring.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the above legitimate interest(s).

For Sensitive Personal data - We process your sensitive personal data based on your consent. The provision of your personal data to EY is optional. However, if you do not provide all or part of your personal data, we may be unable to carry out the purposes for processing. You have the right to withdraw your consent at any time.

If you are an EY User of the Tool, your personal data that is processed in the Tool is used as follows:

  • Account creation;
  • Logging into Yello;
  • Creation of job requisitions and events;
  • Sending invitations for, and managing, campus events;
  • Conduct of digital interviews;
  • Assessment of job applications;
  • Managing candidate nurturing and communication; and
  • Selection of successful candidates for hiring;
  • Scheduling interviews;
  • Providing updates after interviews; and
  • Identifying interviewers.

EY relies on the following basis to legitimize the processing of your personal data in the Tool:

Processing of your personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interest(s) are:

  • Human Resource management, including performance reviews and recruitment; and
  • Success of EY’s recruiting practices, including sourcing, Recruiting, Selection and Hiring.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the above legitimate interest(s).

If you are a Campus Representative, your personal data that is processed in the Tool is used as follows:

  • Account creation;
  • Logging into the Tool;
  • Sending invitations for, and managing, campus events; and
  • May be processed during the selection of successful candidates for hiring.

EY relies on the following basis to legitimize the processing of your personal data in the Tool:

Processing of your personal data is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The specific legitimate interest(s) are:

  • Human Resource management, including performance reviews and recruitment; and
  • Success of EY’s recruiting practices, including sourcing, Recruiting, Selection and Hiring.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you based on the above legitimate interest(s).

4. What type of personal data is processed in the Tool?

The Tool processes these personal data categories:

If you are a Candidate or Applicant, the Tool processes these personal data categories:

  • Candidate profile information (name, contact details, educational information, resume/CV, languages spoken, geographic preferences, location, job applied for/job offered, diversity information, photo);
  • Applicant information for a specific job requisition, interview information (including via video/recorded interviews), assessment information, information pertaining to country-specific regulatory or operational requirements;
  • Sensitive personal data (racial and ethnic origin, health data, sexual orientation, government identifiers such as passport numbers, visa details and national ID numbers); and
  • Data related to criminal convictions will be collected but only in the form of a “yes” or a “no”. No further information on criminal convictions will be processed.

This data is sourced from:

  • EY Partners, employees or contractors (as a referral);
  • SuccessFactors/Employee Central;
  • SF Recruiting;
  • Candidates/applicants themselves; and
  • Assessment data will be fed from other EY tools such as CappFinity, Saville, Pymetrics, and HireVue.

If you are an EY user of the Tool, the Tool processes these personal data categories:

  • User contact data (name, email, phone number, address)
  • Organizational data (location, EY legal entity, department)
  • Single-sign on details

This data is sourced from:

  • EY Partners, employees or contractors and yourself;
  • SuccessFactors/Employee Central; and
  • SF Recruiting.

If you are a Campus Representative, the Tool processes these personal data categories:

  • Name,
  • Email address,
  • Title,
  • Phone number,
  • College/University department.

This data is sourced from:

  • Yourself; and
  • College/university websites or the college/university itself.

5. Sensitive personal data

Sensitive personal data reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning sex life or sexual orientation.

If you are a Candidate or Applicant, the following sensitive personal data is collected and processed in the Tool:

Yello processes the following sensitive personal data, according to local regulations:

  • Racial and ethnic origin;
  • Health data;
  • Sexual orientation;
  • Government identifiers such as passport numbers, visa details and national ID numbers; and
  • Data relating to criminal convictions (please note that only a “yes” or “no” is recorded via the Tool in relation to criminal convictions – no further information or details of those convictions is recorded).

If you are an EY user of the Tool or a campus representative, EY does not intentionally collect any sensitive personal data from you via the Tool. The Tool’s intention is not to process such information.

6. Who can access your personal data?

Your personal data is accessed in the Tool by the following persons/teams:

User group Location Purpose Access Amount
EY Employees, Partners, and Contractors Global To refer other individuals for jobs and serve as ad hoc approvers.
  • Will have write access with the ability to create a job requisition to be approved.
  • Will have write ability to add referrals. 
  • Will have ability to approve requisitions that are sent to them.
  • Will only have access to personal data upon become an EY Hiring Manager.
  • Will have read/write access to the personal data of other EY users (e.g. to assign interviewers).
  • Will have read only access to the personal data of campus representatives.
Approximately 2,000 such users (in total) could have access to personal data but this will be subject to regional variations, types of hiring activities and seasonal changes. Only permissioned users with a valid business reason will have access to the personal data in Yello.

EY Hiring Managers

Global

The individual(s) from the business that will ultimately manage this role and will make hiring decision. 

  • Will have read only access to the personal data of candidates/applicants, and access to view job requisitions and approve offers for the job requisitions that they are listed as hiring manager on.
  • Will have read/write access to the personal data of other EY users (e.g. to assign interviewers).
  • Will have read only access to the personal data of campus representatives.

100,000 such users (in total) but no more than 4 will have access to the personal data for any given job requisition.

Recruiters

Global

The individuals responsible for managing the overall sourcing, recruiting, selection and hiring process.

  • Will have read only access to job requisitions, the personal data of candidates/applicants and offer information for the jobs they are recruiting for.
  • As part of selection process, Recruiters have the ability to write notes in relation to a candidate’s/applicant’s performance.
  • Will have read/write access to the personal data of other EY users (e.g. to assign interviewers).
  • Will have read only access to the personal data of campus representatives.

1800 such users (in total) but no more than 10 will have access to the personal data for any given job requisition.

Recruiting Talent Shared Services and Recruiting Coordinators

Global (specific to TSS: Canada, Poland, India, Philippines, South Africa, BeNe, China, UK)

To support the recruiting process are given the Talent Transactional (TT) and/or Admin Hub roles.

  • Will have read only access to job requisitions, the personal data of candidates/applicants and offer information for the job requisitions that they are supporting.
  • Will have read only access to the personal data of other EY users (e.g. to assign interviewers).
  • Will have read only access to the personal data of campus representatives.

1350 such users (in total). Each region has varying numbers of Recruiting Talent Shared Services and Recruiting Coordinators but all such people will only have access to the personal data in the region they support. Internal policies are in place to limit access to personal data by this user group.

Sourcing Super User

Global

Provide sourcing/recruiting support (ex. identifying potential candidates/applicants for various roles, interview support).

  • Will have read/write access to job requisitions, the personal data of candidates/applicants and offer information for jobs requisitions that they are supporting.
  • Will have read/write access to the personal data of other EY users.
  • Will have read/write access to the personal data of campus representatives.

150 (which represents a limited number of users across 150 countries)

Global System Support

Canada, India, New Zealand, US, Poland

Granted to a limited number of individuals at EY to oversee and manage the tool at a global level including overseeing SF Recruiting support and release activities.

  • Will have full administrative access to personal data, system data and functionality required for system support.

9

Global Reporting

US, India, Poland

Provides global reporting support. To create and manage reports across all data.

  • Will have read only access to anonymized personal data required for report creation globally. Has permission to create and run reports.

 8

Candidates/Applicants

Global

To allow individuals to express interest in EY and apply for any open jobs.

  • Will have access to their own personal data only to create, edit and delete data on their candidate profile. Will have access to apply for any posted EY jobs.
  • Will have read only access to the personal data of EY users (e.g. names of their interviewers).

 Unknown

Yello Support staff

US

To provide vendor system support on an as needed basis.

  • Will have administrative access to personal data, system data and functionality required for system support.

3 to 5

Tata Consulting Services (TCS)

Mexico and India

 To provide system support

  • Has read/write/edit/delete access to all personal data in the Tool. Has access to a range of capabilities within the Admin Center.

~30

IBM Canada, China, Czech Republic, Hungary, India, Malaysia, Mexico, Oceania, Philippines, Poland, UK and US

 To provide system support

  • Has read/write/edit/delete access to all personal data in the Tool. Has access to a range of capabilities within the Admin Center.

~30

The access rights detailed above involves transferring personal data in various jurisdictions (including jurisdictions outside the European Union) in which EY operates (EY office locations). An overview of EY network entities providing services to external clients is accessible on the legal statement via ey.com UK (See Section 1 (About EY) - “View a list of EY member firms and affiliates”). EY will process your personal data in the Tool in accordance with applicable law and professional regulations in your jurisdiction. Transfers of personal data within the EY network are governed by EY’s Binding Corporate Rules.

We transfer or disclose the personal data we collect to third-party service providers (and their subsidiaries and affiliates) who are engaged by us to support our internal ancillary processes. For example, we engage service providers to provide, run and support our IT infrastructure (such as identity management, hosting, data analysis, back-up, security and cloud storage services) and for the storage and secure disposal of our hard copy files. It is our policy to only use third-party service providers that are bound to maintain appropriate levels of data protection, security and confidentiality, and that comply with any applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.

To the extent that personal data has been rendered anonymous in such a way that you or your device are no longer reasonably identifiable, such information will be treated as non-personal data and the terms of this Privacy Notice will not apply.

For data collected in the European Economic Area (EEA) or which relates to individuals in the EEA, EY requires an appropriate transfer mechanism as necessary to comply with applicable law. The transfer of personal data from the Tool to RECSOLU, Inc., DBA Yello, and from the Tool to TCS and IBM, are governed by agreements between EY and the service providers that include standard data protection clauses adopted by the European Commission.

7. Data retention

Our policy is to retain personal data only for as long as it is needed for the purposes described in the section “Why do we need your personal data”. Retention periods vary in different jurisdictions and are set in accordance with local regulatory and professional retention requirements.

In order to meet our professional and legal requirements, to establish, exercise or defend our legal rights and for archiving and historical purposes, we need to retain information for significant periods of time.

The policies and/or procedures for the retention of personal data in the Tool are:

  • If you are a candidate, applicant or campus representative, your data will be held in line with EY records retention policies. After the end of the data retention period, your personal data will be deleted or anonymized (in which case your data will no longer be personal data and you will not be identifiable from such anonymous data).
  • If you are an EY user of the Tool, your data will be held in line with the EY IT Logging Policy (pdf), EY Records Retention Global Policy and the relevant Country Retention Schedule (CRS). After the end of the data retention period, your personal data will be deleted or anonymized (in which case your data will no longer be personal data and you will not be identifiable from such anonymous data).

After the end of the data retention period, your personal data will be deleted.

8. Security

EY protects the confidentiality and security of information it obtains in the course of its business. Access to such information is limited, and policies and procedures are in place that are designed to safeguard the information from loss, misuse and improper disclosure. Additional information regarding our approach to data protection and information security is available in our Protecting your data (pdf) brochure.

9. Controlling your personal data

EY will not transfer your personal data to third parties (other than any external parties referred to in section 6 above) unless we have your permission or are required by law to do so.

10. Your rights in relation to your personal data 

Depending on the applicable jurisdiction, you may have certain rights in relation to your personal data, including:

  • To request details of the personal data EY processes about you and to access the personal data that EY processes about you
  • To have your personal data corrected, for example, if it is incomplete or incorrect
  • To restrict or object to the processing of personal data or request the erasure of your personal data
  • To receive a copy of the personal data which you have provided to EY in a structured, commonly used and machine-readable format which you can re-use for your own purposes (known as “data portability”)
  • Where you have provided consent to the processing of your personal data, the right to withdraw your consent.
  • The right to complain to a data protection authority (see section “Complaints”)

If you have any questions about how EY processes your personal data or your rights related to your personal data, please send an e-mail to data protection team.

11. Complaints

If you are concerned about an alleged breach of privacy law or any other regulation, contact EY’s Global Privacy Leader, Office of the General Counsel, 6 More London Place, London, SE1 2DA,United Kingdom or via email at data protection team or via your usual EY representative. An EY Privacy Leader will investigate your complaint and provide information about how it will be handled and resolved.

If you are not satisfied with how EY resolved your complaint, you may have the right to complain to your country’s data protection authority. You may also have the right to refer the matter to a court of competent jurisdiction.

Certain EY member firms in countries outside the European Union (EU) and the UK have appointed representatives in the EU and the UK respectively to act on their behalf if, and when, they undertake data processing activities to which the EU General Data Protection Regulation (GDPR) and/or the UK General Data Protection Regulation (UK GDPR) applies. Further information and the contact details of these representatives are available on the EU data protection representative page.

12. Contact us

If you have additional questions or concerns, contact your usual EY representative or email data protection team.