Sytner Group Candidate Privacy Policy

1. About this policy

                This policy was last updated on the 14th September 2023.

                This privacy policy (“policy”) describes what types of personal data Sytner Group Limited (referred to throughout this policy as “Sytner Group”, “we”, “us” or “our”) collect from you, when, how and why it is collected, used and disclosed and how it is kept secure when you use our website and when you apply for a job vacancy.

It is important that you read this policy together with any other privacy policy or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This policy supplements the other notices and is not intended to override them.

This website and our services are not intended for children and we do not knowingly collect personal data relating to children. If you are under 16 please do not provide us with any of your personal data unless you have the permission of your parent or guardian to do so.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, either by updating your personal details directly within your Sytner Careers online account or by contacting us using the details in Section 17 (How to contact us).

We take your privacy seriously and we will only use your personal information in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation both as amended from time to time (together Data Protection Legislation). And other applicable laws and regulations that relate to data protection and privacy.  

2. Changes to this policy

The contents of this policy may change from time to time. We will post any updates to this policy on our website You may wish to check this page to ensure you are still happy to share your personal data with us. Where we make material changes to this policy, we will also contact you directly to notify you of these changes.

3. Processing another person’s personal data

If you provide us with personal data on behalf of someone else for example you provide your former employers contact details to provide a reference, you confirm to us that you have their permission to pass their personal data to us and that they are aware of the contents of this policy and do not have any objection to our processing their personal data in accordance with this policy.

4. Who is the controller for my personal data?

A ‘controller’ is a person or organisation who decides why and how your personal data is collected, used and shared. They are responsible for ensuring that the processing complies with data protection legislation. 

This policy covers Sytner Group Limited known as the ‘controller’. When we say 'we' or 'us', or refer to “Sytner Group” in this policy, we are referring to Sytner Group Limited who are registered with the Information Commissioner’s Office under reference: Z4998274.

5. What personal data do we collect about you?

Personal data means any information about a living individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). As part of the recruitment process, or if you are successful and subsequently receive a job offer from the Sytner Group, we will collect and process your personal data. We collect a range of information about you. 

This includes, but is not limited to:

  • your full name, any previous names, home address and contact details, including email address and telephone number, social media user name or identifiers;
  • details of your qualifications, skills, experience and employment history;
  • if you have been convicted of any criminal convictions which are not yet spent or any motoring offences;
  • information about your current level of remuneration, including benefit entitlements, and personal information shared by your previous employer on your P45;
  • whether or not you have a disability for which the Sytner Group needs to make reasonable adjustments during the recruitment process and if successful, for your future employment;
  • information about your entitlement to work in the UK; and equal opportunities monitoring information, such as your ethnic origin, sexual orientation, nationality and religion or belief;
  • medical history or health data;
  • a copy of your passport or other legal documentation to verify your identity, and your current driving licence if the job role includes access to a company car;
  • your bank details and national insurance number if you are successful to make an offer of employment to you and to pay your salary;
  • any other personal data you have provided to us within your CV or covering letter as part of your job application or at our request;
  • any personal data which may be found publically in social media, on the internet or in apps such as LinkedIn;
  • behavioural or personality traits found during psychometric testing;
  • if you are offered an interview, we may temporarily capture images of you while on our business premises on CCTV cameras. If you attend a virtual interview we may also record this but only with your permission;
  • if you are transferring internally, if you have previously applied for a job role or been employed by Sytner.

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

6. Where do we get your personal data from?

We collect personal data when you provide this to us directly or in the scenarios listed below:

  • when you submit a job application via this website, through one of our dealerships or via our social media accounts;
  • when you respond to a Sytner Group job advertisement, either directly or indirectly via third party job boards;
  • where a Sytner employee refers an advertised job role to you;
  • when you attend an open day, job fair or an event;
  • if you create a Sytner Career’s online account, sign up for job alerts or register an interest in particular job roles by joining our talent pools;
  • through apprenticeship programmes;
  • dependant on the type of job role which you apply for, we may conduct psychometric or numeracy tests as part of our recruitment process, to assess your suitability for the advertised role;
  • in third party references provided to us on request;
  • provided indirectly to us by a recruitment agent acting on your behalf;
  • from Experian finance, DBS and social media checks, but only with your consent unless we have a contractual obligation to do so;
  • from the DVLA with your consent to check the validity of your driving licence, and if you have any penalty points or disqualifications;
  • intragroup records such as previous employment information, your original personnel file, training records, taxation, payroll or for legal purposes; 
  • contained in application forms, CVs or resumes you send to us directly or indirectly through recruitment agencies or consultants you have engaged with, obtained from your passport or other identity documents, or collected through interviews or other forms of assessment.

Sytner Group may also collect personal data about you from other third parties, such as but not limited to, references supplied by former employers. The Sytner Group will seek information from these third parties only once a job offer to you has been made and will inform you that it is doing so.

Data will be stored in a range of different places, including on your application record, in Sytner Group’s HR management systems, in your Sytner Group online Careers account (if applicable), in your personnel file if you are successful and on other business systems (including email).

7. What is the legal basis for processing your personal data?

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Contractual performance – where we need to process your data where it is necessary for the performance of an employment contract to which you are a party or to take steps at your request before entering into such a contract.
  • Legal or regulatory obligation – when we have to process your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
  • Legitimate interest – when it is in our legitimate interest (or that of a third party) and those interests do not override your rights and freedoms, for example when it is in the interest of our business to receive applications from an external recruitment agency, to fill a job vacancy or to provide manufacturer apprentice programmes. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us using the contact details set out in Section 17 (How to contact us). 
  • Vital interests – where it is necessary to process your personal data to protect your vital interests or another person. For example, if you have a medical emergency we may need your next of kin details or medical history to provide to the emergency services.
  • Consent – generally we do not rely on consent as a legal basis for processing your personal data. By exception, third party driving licence and Experian checks will require your explicit consent to share these full reports with us on request. You are under no obligation to share these full reports with Sytner Group, Experian will generically advise us directly if any adverse events have been found during the check.

8. How Sytner will use your personal information

The Sytner Group will use the personal information we collect about you to in the following scenarios:

  • Where we need to take steps at your request prior to entering into an employment contract with you. We also need to process your personal data to make an offer of employment to you and to enter into an employment contract if your application is successful.
  • The Sytner Group has a legitimate interest in processing personal data during the recruitment process and for keeping records of the hiring process. Processing data from job applicants allows Sytner Group to manage the recruitment process, assess your skills and qualifications, and suitability for the work or role, and to decide to whom to offer a job.
  • It is in our legitimate interests to decide whether to appoint you to a role since it would beneficial to Sytner Group to appoint someone to that vacancy.
  • As part of the recruitment process, you may be required to complete internal or third party assessments, such as aptitude, psychometric and numeric tests to ascertain your suitability to the job role for which you have applied. Sytner Group will share your name and email address with the respective third party provider, if applicable. These tests are designed to make consistent automated decisions about your personality traits and behaviour, based on the answers you give in these online assessments. A copy of the Thomas assessment, if you have completed this as part of your application, can be provided to you during your interview or on request.
  • In some cases, Sytner Group needs to process data to ensure that it is complying with its regulatory and legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before an employment contract is issued and employment starts.
  • Sytner Group processes health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment. We may process your health data in circumstances where you are absent due to sickness or have been in an accident.
  • If you are invited to attend a recruitment day, Sytner Group will process your personal data for this purpose. This may include, your name, contact details, previous employment background, and food allergies where refreshments are provided and/or if any reasonable adjustments are needed for attendance.
  • The Sytner Group reserve the right to check details given as part of your job application are accurate, if you have previously worked for the Sytner Group, and why you left our previous employment. If we find any personal details or disclaimers you give to us to be inaccurate, our offer of employment may be withdrawn. 
  • Sytner Group may need to process data from job applicants to respond to and defend against legal claims or to address candidate’s data rights or complaints. We may have other regulatory or legal obligations to process your personal information.
  • We will share your contact details with Experian to screen all candidates who are offered a job role. Experian will conduct background checks into your financial status, DBS criminal record, social media presence and digitised candidate identity verification with your consent. If you do not provide your consent to Experian for these checks, we may not be able to continue with our offer of employment in some circumstances. 
  • Where Sytner Group relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not.
  • Where Sytner Group processes other special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, this is for equal opportunities monitoring purposes and with your consent. 
  • For some roles, Sytner Group is obliged to seek information about criminal convictions and offences, for example motor offences. Where the Sytner Group seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment.
  • Where you have applied for an apprenticeship at one of our dealerships by way of a third party provider, we will process and share the outcome of your application with the respective party. 
  • Sytner Group will use your contact details for the recruitment exercise for which you have applied, to keep in contact with you if you have expressed an interest in an advertised job role subject to your permissions or to then make an offer of employment to you. 
  • Where we have made a job offer to you, we may send secure links to your personal email address which allow you to complete mandatory training prior to your employment commencing;
  • If your application is unsuccessful, the Sytner Group will keep your personal data on file in case there are future employment opportunities for which you may be suited. If you have a Sytner Careers online account, the Sytner Group will continue to send relevant emails to you that fall within your specific area of interest, subject to your permissions. You can change your permissions directly within your Sytner Careers account under ‘Other Vacancies’ by selecting ‘No, thank you’ to stop receipt of these new vacancy communications or you can choose to delete your Sytner Careers online account profile in the same section. A deletion request is not absolute, if you have previously been considered for advertised job roles your personal information will also be held by the hiring manager or recruitment team. 
  • Sytner Group may contact you for feedback about the recruitment process or with other relevant job opportunities. 
  • Sytner Group will not use your data for any purpose other than the recruitment exercise for which you have applied unless you have specified otherwise.

9. What rights do you have under data protection legislation?

Under certain circumstances, you have rights under data protection laws. These are set out below:

  • The right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • The right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • The right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which over ride your rights and freedoms.
  • The right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • The right to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • The right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to offer you a job role. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us using the details set out in Section 17 (How to contact us).

You will not have to pay a fee to initially access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. Where we have requested additional information to confirm your identity or to help with your request, the timeline for response will be paused until receipt of this requested information from you. If you fail to provide this additional information or where we have reasonable doubts over your identity, we may refuse to process your request.

We try to respond to all legitimate requests within one calendar month, subject to exemptions. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

All personal data if held, will be disclosed securely via our secure privacy portal and in easily assessable electronic format. Further copies of the personal data in other formats may be chargeable.

10. Who has access to your personal data?

Your information will be shared internally for the purposes of the recruitment exercise and future employment. This includes members of the HR team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

Sytner Group will only share your personal data where necessary as part of the recruitment and on boarding process. If it makes an offer of employment to you, the Sytner Group will then share your data with former employers or parties named by you to obtain references. Additionally employment background check providers will be contacted to obtain necessary background checks, to complete driving licence checks if you will have access to a company vehicle and to obtain necessary criminal records checks.

Anonymised data may be shared intragroup for reporting on recruitment, gender pay and equal opportunity monitoring. You will not be able to be personally identified from this reported information. 

11. International transfers

From time to time we transfer your personal data outside of the United Kingdom for the purposes described in this privacy policy. When we do this, your personal data will continue to be subject to one or more appropriate safeguards set out in law. These might include model contracts in a form approved by the Information Commissioner’s Office (ICO), having the recipient sign up to an independent privacy scheme approved by regulators, or transferring to a jurisdiction that is subject to a relevant adequacy decision. 

Where we put in place appropriate safeguards to protect the personal data we transfer, the safeguards may include securing additional legal agreements to protect your information. If you would like further information about these agreements, you can contact us using the details in section 17 (How to contact us or make a complaint). 

12. How do we keep your personal information secure?

Sytner Group takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.

We use a variety of security measures, including encryption and authentication tools, to help protect and maintain security, integrity and availability of your personal data.

Although data transmission over the Internet or website cannot be guaranteed to be secure, we and our business partners work hard to maintain physical, electronic and procedural safeguards to protect your personal data in accordance with applicable data protection requirements. Our main security measures are:

  • restricted personal access to your data on a 'need to know' basis and for the communicated purpose only;
  • highly confidential data stored in encrypted form;
  • firewalled IT systems to prohibit unauthorised access e.g. from hackers;
  • we require all of our service providers to have appropriate measures in place to maintain the security of your personal data; and
  • permanently monitored access to IT systems to detect and stop misuse of personal data.

                Where we have given you (or where you have chosen) a password that enables you to access any personalised area this website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

                It is your responsibility to ensure that your desktop or mobile device is virus protected. We accept no responsibility for any loss you may suffer as a result of accessing and downloading information from our website or from within communications we send to you.

You will be required to undertake annual training in Data Protection Legislation, following the offer of a job role to you. This is mandatory and completion of this training must be prior to processing any Sytner Group customer or colleague’s personal data.

13. How long do we keep your personal data?

We retain your personal data only as long as is necessary for the purpose for which we obtained them and any other permitted linked purposes. If personal data is used for two purposes we will retain it until the purpose with the latest period expires; but we will stop using it for the purpose with a shorter period once that period expires. Our retention periods are based on business needs and your personal data that is no longer needed is either irreversibly anonymised or destroyed securely. 

                If your application for employment is unsuccessful, Sytner Group will hold your data on file for 12 months after the end of the relevant recruitment process, unless you have asked us to keep you on our records for future opportunities, in which case, with your agreement, Sytner Group will hold your data on file for consideration for future employment opportunities.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held is detailed in the Sytner Group data retention policy. 

14. Third-Party links and social plug-ins contained on our website

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices and statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Social plug-ins are integrated into this website from social networks such as Facebook and LinkedIn. When you visit our website, the social plug-in is deactivated, therefore no personal data is transmitted to the operators of the respective plug-in. If you want to use one of the social networks, click on the respective social plug-in to establish a direct connection to the server of the respective network. 

If you have a user account on the social network and are logged in when you activate the social plug-in, the network can associate your visit to our website with your user account. If you want to avoid this, please log out of the social network before activating the social plug-in. A social network cannot associate a visit to other Sytner Group websites until you have activated an existing social plug-in.

When you activate a social plug-in, the network transfers the content that becomes available directly to your browser, which integrates it into our website. In this situation, data transmissions can also take place that are initiated and controlled by the respective social network. Your connection to a social network, the data transfers taking place between the network and your system, and your interactions on that platform are governed solely by the privacy policies of that social network.

A social plug-in will remain active until you deactivate it or delete your cookies (see section 15).

If you activate a social plug-in you do so at your own risk, personal data may reach providers in countries outside the UK/European Union that may not guarantee an "adequate level of protection" for the processing of personal data in accordance with UK/EU standards. Please remember this fact before activating a social plug-in and thereby triggering a transfer of your personal data.

15. Cookies and how we use these to process your personal data

Cookies may be used when you are visiting this website. Technically, these are so-called HTML cookies and similar software tools such as Web/DOM Storage or Local Shared Objects (so-called "Flash cookies"), which we collectively refer to as cookies.

                Cookies are small files that are stored on your desktop, tablet or mobile device while you visit a website. Cookies make it possible, for example, to determine whether there has already been a connection between the device and the website; take into account your preferred settings, offer you certain functions (e.g. to save job roles of interest) or recognize your usage-based interests. Cookies may also contain personal data.

                Whether and which cookies are used when you visit our website depends on which areas and functions of our website you use and whether you agree to the use of cookies that are not strictly necessary. 

                You will be asked to set cookie preferences when you access our website for the first time via the Cookie banner on the front screen. When you re-visit our website we may ask you to update your cookie preferences periodically.

The use of cookies also depends on the settings of the web browser you are using (e.g., Microsoft Edge, Google Chrome, Apple Safari, and Mozilla Firefox). Most web browsers are pre-set to automatically accept certain types of cookies; however, you can usually change this setting. You can delete stored cookies at any time. Web/DOM storage and local shared objects can be deleted separately. 

Cookies are tied to the device and also to the respective web browser you use. If you use multiple devices or web browsers, you can make decisions or settings differently.

If you decide against the use of cookies or delete them, you may not have access to all functions of our website or individual functions may be limited.

16. What if you do not provide personal data?

You are under no statutory or contractual obligation to provide data to Sytner Group during the recruitment process. However, if you do not provide the information, the Sytner Group will not be able to process your job application properly or at all. 

You are under no obligation to provide information for equal opportunities monitoring purposes and there are no consequences for your application if you choose not to provide such information.

17. How to contact us

We have appointed a data protection officer who is responsible for overseeing data protection for the Sytner Group. If you have any questions about this policy, your rights under data protection legislation or the processing of your personal data generally you can contact us free of charge at any time by using the details below:

  • By completing this web form 
  • By sending an email to our Data Privacy & Compliance Team
  • By writing to us at Data Privacy & Compliance Team, Sytner Group, 3 Penman Way, Grove Park, Leicester, LE19 1ST

If you are dissatisfied with our use of your personal data or our response to any exercise of these rights you have the right to complain to your data protection authority, this in the UK is the Information Commissioner's Office (ICO)

Sytner Group Limited is registered in England & Wales under Company number: 2883766 and headquartered in Leicester. The Sytner Group is wholly owned by Penske Automotive Group based in the United States of America and listed on the NYSE as a part owned division of the Penske Corporation. 

End of policy - version 2 – 14th September 2023