Privacy and Cookie Notice

 

1. INTRODUCTION


Welcome to the Privacy Notice of
Marown Holdings Limited. This Privacy Notice describes how Marown Holdings Limited, including all wholly owned subsidiaries (“the Group” or “We”) process your Personal Data. Accordingly, the Group assumes the GDPR role of Data Controller of your Personal Data.

The Group is committed to transparency, specifically to assist you in understanding how we process your Personal Data, and how we meet our obligations under the applicable data protection laws.

We are committed to complying with all applicable data protection laws, including, but not limited to, the General Data Protection Regulation (GDPR), UK General Data Protection Regulation (UK GDPR), Australian Privacy Act and the Protection of Personal Information Act (POPIA).

2. SCOPE


This Privacy Notice is intended to provide you with information about how we process your Personal Data, through the use of this website, including any Personal Data you may provide through this website should you submit an application for any potential job opportunities at
Marown Holdings Limited, or any of its wholly owned subsidiaries.

This Privacy Notice is not intended to be directed at children, who are under the legal age of majority in your respective country or region. We do not knowingly process Personal Data of any person who is considered under the legal age of majority.

Please note that this Privacy Notice does not apply to the Personal Data of the Group’s employees, clients, or customers, as that will be governed by the Group’s Internal Privacy Policy.

Data processed for business purposes, will be governed by the Group’s internal Data Protection Policy.

3. DEFINITIONS


Personal Data
means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Protection Officer means an individual who is responsible for overseeing a company’s data protection strategy and its implementation to ensure compliance with the applicable data protection laws. Their duties include educating a company and its employees, as well as serving as the point of contact between both a company and the applicable supervisory authority, that oversees activities related to Personal Data, as well as the point of contact between a company and its data subjects.

Data Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. This does extend to similarly defined entities/individuals defined under other applicable data protection legislation (e.g., Responsible Party).

Data Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. This does extend to similarly defined entities/individuals defined under other applicable data protection legislation (e.g., Operator).

4. DATA PROTECTION OFFICER


The Group has appointed a Data Protection Officer (“DPO”) who is responsible for overseeing our data protection activities. 

Contact Details:

Data Protection Officer
Email Address : [email protected].
Physical Address :
10 Bressenden Place
London
SWE1E 5DH
United Kingdom

In addition to the above, the Group has appointed an EU Representative under the GDPR:

Contact Details:

Derivco Malta Limited
Physical Address : Level 2, 9 Empire Stadium Street
Gzira
GZR1300
Malta

5. YOUR PERSONAL DATA RIGHTS AND CONTROLS


Many privacy laws extend rights to individuals over their Personal Data, such as the GDPR and POPIA.

Some rights only apply when the Group uses a certain ‘legal basis’ to process your Personal Data. We explain each legal basis in conjunction with the purpose for which the Group processes your Personal Data, below under “WHAT, HOW AND WHY WE PROCESS YOUR PERSONAL DATA”.

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Please note that we may need to request specific information from you to help us confirm your identity and ensure your right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you for further information in relation to your request to speed up our response.

Further, we try to respond to all legitimate requests within 1 month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

The below table explains:

  • Your rights.
  • How to use them.
No. Your right Description How?
1. Transparency / To be informed You have the right to be informed about what Personal Data the Group processes, and how the Group processes your Personal Data.  

We inform you:

  • Through this Notice.
  • By answering your questions and requests when you contact us.
2. To access You have the right to request access to the Personal Data we process about you. You may request a copy of your Personal Data from the Group, by contacting us.
3. To rectification You have the right to amend or update your Personal Data, where it is inaccurate or incomplete. You may request that the Group amends or updates your Personal Data, by contacting us
4. To erasure (“right to be forgotten”)  

You have the right to request that we erase, partially or wholly, your Personal Data.

However, the exercising of this right is subject to the following conditions:

  • When we no longer need your Personal Data for the purpose it was collected for.
  • When we processed your Personal Data on the legal basis of consent, and you have withdrawn your consent.
  • When you have submitted a justified objection to the processing of your Personal Data.

There are situations where we are unable to delete your Personal Data, such as:

  • It is still necessary to process your Personal Data for the purposes we collected it.
  • The Group’s interest in using your Personal Data overrides your interest in having it deleted. (e.g., where we need your Personal Data to protect the Group from fraud).
  • The Group has a legal obligation to retain your Personal Data.
  • The Group needs your Personal Data to establish, exercise or defend legal claims.
You may request that we erase / delete your Personal Data, by contacting us.
5. To restriction  

You have the right to request that we stop processing all or some of your Personal Data.

You may exercise this right if:

  • Your Personal Data is inaccurate.
  • We are processing your Personal Data unlawfully.
  • We do not require your Personal Data for a specific purpose.
  • You have objected to our processing of your Personal Data, and we are assessing your objection request.

See “To object” below.

You can request that we stop processing temporarily or permanently.

You may request that we stop processing your Personal Data, by contacting us.
6. To object  

You have the right to object to us processing your Personal Data.

You may exercise this right if the Group is processing your Personal Data on the legal basis of legitimate interest.

You may exercise your right to object processing your Personal Data, by contacting us.
7. To data portability  

You have the right to request a copy of your Personal Data in an electronic format and the right to transmit that Personal Data to a third party.

You may exercise this right when we are processing your Personal Data on the legal bases of consent or performance of contract.

For more information about how to exercise this right, see “To access” above.
8. To not be subject to automated decision making  

You have the right to not be subject to a decision based solely on automated decision making (i.e., decisions without human involvement), including profiling, where the decision would have a legal effect on you or produce a similarly significant event.

The Group does not carry out this type of automated decision making unless done so in a lawful manner.
9. To withdraw your consent  

You have the right to withdraw your consent.

You may exercise this right when the Group is processing your Personal Data on the legal basis of consent.

You may exercise your right to withdraw your consent, by contacting us.
10. To lodge a complaint You have the right to lodge a formal complaint with your applicable Data Protection Authority.  

Please refer to the International Association of Privacy Professional’s (IAPP) interactive Global Map here, where you may locate your applicable Data Protection Authority’s website and contact details.

 

6. WHAT, HOW AND WHY, WE PROCESS YOUR PERSONAL DATA


The below table explains:

  • The purpose for which we process your Personal Data.
  • The legal basis the Group has determined for each purpose.
  • The  Personal Data which we use for each purpose.

The Group generally processes your Personal Data so as to take steps prior to entering into a contract with you (i.e., Performance of Contract), however, there are instances where the Group relies on other legal bases to process your Personal Data such as your consent, and where the Group has a legitimate interest in responding to you, should you pose any questions to the Group through this website.

Notwithstanding the above, your ease of reference, here is a general explanation of each ‘legal basis’ to assist you in understanding the table

  • Performance of Contract: When it is necessary for the Group to process your Personal Data to comply with obligations under a contract of employment with you. 
  • Legitimate Interest: When the Group has an interest in processing your Personal Data, which is necessary and justified considering any possible risks to you and other employees, workers or contractors:
    • Should the Group determine that the legal basis appropriate to process your Personal Data are the legitimate interests of the Group, the Group will carry out a Legitimate Interest Assessment (LIA).
    • This LIA process determines whether the processing of your Personal Data is appropriate by weighing up the actual interests of the Group to process your Personal Data, against your interests or fundamental rights and freedoms.
  • Consent: When the Group asks you to actively indicate your agreement to the Group’s use of your Personal Data for a specific purpose.
  • Compliance with Legal Obligations: When the Group must process your Personal Data to comply with a law.
No. Purpose Legal basis Scope of Personal Data used for the purpose
1. Recruitment: Screening and selecting Consent  

  • First name.
  • Last name.
  • Residential address.
  • Email address.
  • Telephone number.
  • Entitlement to work.
  • Proof of nationality.
2. Recruitment: Assessments Consent  

  • Curriculum Vitae (incl. all incidental Personal Data disclosed therein).
  • Work history.
  • Details on qualifications, skills, and experience.
3. Recruitment: Verification Checks Consent  

  • Identity number.
  • Passport number.
  • Proof of nationality.
  • Current level of remuneration (incl. benefits).
4. Recruitment: Offer Management and Hiring Process Performance of Contract  

All the above including:

  • Marital status.
  • Next of kin.
  • Dependents.
5. Website: Authenticate users and prevent fraudulent use of user accounts on this website Legitimate Interest  

seen-cookie-message*

*Note, this is used to store a user’s viewing of the privacy policy message. If a user has seen this message, a value of ‘yes’ is stored so the message does not display again. Message appears again after cookie expires (14 days).

6. Website: Track how this website is used, so that we can make improvements Consent  

seen-cookie-message*

*Note, this is used to store a user’s viewing of the privacy policy message. If a user has seen this message, a value of ‘yes’ is stored so the message does not display again. Message appears again after cookie expires (14 days).

7. Recruitment & Website: Contact and perform correspondence with you, for a justifiable purpose Consent  

  • First name.
  • Last name.
  • Email address.
  • Telephone number.
8. Recruitment & Website: Respond to and defend against legal claims Legitimate Interest  

  • First name.
  • Last name.
  • Email address.
  • Telephone number.

 

7. INFORMATION ABOUT COOKIES


Cookies are small files that websites save to your hard disk or to your browser’s memory. The cookies used on our website are listed above. You can accept or decline cookies. Most internet browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies or to notify you when a cookie is being placed on your computer. If you choose to decline cookies, however, you may not be able to fully experience the features of our website or other websites that you may visit.

Please refer here for more information about cookies.

8. WHAT IF YOU DO NOT PROVIDE US WITH YOUR PERSONAL DATA?


If you fail / refuse to provide your Personal Data to the Group, this will hinder the Group’s ability to consider your application for any vacancies for a role at
Marown Holdings Limited, or any of its wholly owned subsidiaries, or to respond your questions / queries submitted through this website.

9. WHO WE SHARE YOUR PERSONAL DATA WITH


This section explains who receives your Personal Data, which is collected by the Group.

The below table explains:

  • The categories of recipients of your Personal Data.
  • The categories of Personal Data shared with those recipients.
  • The purpose of sharing your Personal Data with those recipients.

Please note that we will not share your Personal Data with other third parties (apart from the Recruitment Platform Provider), unless your application for the relevant vacancy is successful and we make you an offer of employment.

Categories of Recipients Scope of Personal Data Purpose of Sharing
Recruitment Platform Provider / HR Team / Interviewers  

  • First name.
  • Last name.
  • Residential address.
  • Email address.
  • Telephone number.
  • Entitlement to work.
  • Proof of nationality.
  • Curriculum Vitae (incl. all incidental Personal Data disclosed therein).
  • Work history.
  • Details on qualifications, skills, and experience.
End-to-end recruitment process.
HRIS Service Providers As above. Candidate onboarding.
Background Check Providers  

  • First name.
  • Last name.
  • Residential address.
  • Email address.
  • Telephone number.
  • Identity number.
  • Passport number.
Conduct background checks against the Disclosure and Barring Service, to obtain necessary criminal record checks, psychometric assessments etc.

 

10. DATA RETENTION OF YOUR PERSONAL DATA


We will only retain your Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Details of the retention periods for different aspects of your Personal Data are available in our HR Data Retention Policy, which you can request from us by contacting us.

11. TRANSFERRING YOUR PERSONAL DATA TO OTHER COUNTRIES


Due to the international footprint of
Marown Holdings Limited, including all wholly owned subsidiaries, the Group shares your Personal Data internationally with all Marown Holdings Limited companies, and partners. The Group has validated the legality of sharing your Personal Data with all Marown Holdings Limited companies, by ensuring that Marown Holdings Limited, including all wholly owned subsidiaries, have concluded the Group’s Intra-Group Data Transfer Agreement, which is the legal mechanism relied on to safeguard your Personal Data when sharing amongst the Group.

Accordingly, these entities may process your Personal Data in countries whose data protection laws are not considered to be as strong as EU laws or laws which apply where you live (e.g., they may not afford the same rights over your Personal Data).

Whenever we transfer your Personal Data internationally, we use tools / mechanisms to:

  • Make sure that the Personal Data transfer complies with applicable laws.
  • Help to provide your Personal Data with the same level of protection as the GDPR.

To ensure that each Personal Data transfer complies with applicable data protection laws (incl. those mentioned in Section 1), we use the following legal mechanisms:

  • Standard Contractual Clauses (“SCCs”): These clauses requires that a Personal Data importer to protect your Personal Data and to provide you with GDPR-level rights and protections. You may exercise your rights under the SCCs by contacting us or the third party who processes your Personal Data.
  • Adequacy Decisions: These adequacy decisions permit the Group to transfer the Personal Data of our EU employees, to countries outside the European Economic Area which have adequate laws to protect Personal Data, as determined by the European Commission.

Please note that we also identify and use additional protections as appropriate for each data transfer, such as:

  • Technical protection, such as using technologies like encryption or pseudonymization.
  • Policies and processes to challenge disproportionate or unlawful government authority requests.

12. HOW DO WE KEEP YOUR PERSONAL DATA SAFE?


The Group is committed to protecting your Personal Data and takes the security of your Personal Data very seriously. We have implemented, and continuously maintain, appropriate technical and organizational measures to help protect the security of your Personal Data against loss, accidental / unauthorized destruction, disclosure, or access, as well as any misuse and unnecessary retention of your Personal Data. In this regard the Group has obtained certification against ISO/IEC 27001.

Where the Group engages third parties to process your Personal Data, as described above in “WHO WE SHARE YOUR PERSONAL DATA WITH”, we endeavor to ensure that those third parties do so based on written instruction and are under a duty of confidentiality and are obliged to implement and maintain appropriate technical and organizational measures to ensure the security of your Personal Data.

The Group has procedures to deal with any potential / suspected Personal Data security breaches, and will notify you, and any applicable supervisory authority, of a confirmed breach, where we are legally required to do so.

13. PERSONAL DATA BREACHES


Should the Group discover the occurrence of a breach in relation to your Personal Data, which poses a risk to your rights and freedoms, we undertake to report the Personal Data breach to you without undue delay, along with the likely consequences of the breach and the remedial action taken.

If the Personal Data breach is likely to result in an elevated risk to your risks and freedoms, the Group undertakes to report the breach to the relevant supervisory authority within 72 hours of discovery.

The Group will record all Personal Data breaches, regardless of their effect.

14.OWNERSHIP, REVIEW AND APPROVAL


The Data Protection Officer owns this Privacy Notice. This document must be reviewed at least annually and is approved by the Group’s relevant decision makers.

If you believe that the Group has not complied with your Personal Data Rights, you may lodge a complaint to your applicable Data Protection Authority. Please refer to the IAPP’s interactive Global Map here, where you may locate your applicable Data Protection Authority’s website and contact details.