PMI CANDIDATE PRIVACY NOTICE

We take privacy seriously. This notice tells you who we are, what information about you we collect, and what we do with it. Click on “find out more” in each section for further information.

Please also read any supplementary notices that we provide to you relating to our collection and use of information about you. They provide more information about the way we do business, and any restrictions on eligibility that may apply.

Who are we?

We are a member of Philip Morris International. Our details (name, address, etc.) will have been given to you separately at the time of (or to confirm) the collection of information about you, for example, in a notice on an app or a website or in an e-mail, containing a link to this notice.

Find out more…

  • PMI: Philip Morris International, a leading international tobacco group. It is made up of a number of companies or “affiliates”.
  • PMI affiliates: Each member of the Philip Morris International group of companies is a “PMI affiliate”. “We” (or “us” or “our”) refers to each PMI affiliate: when you set up a candidate profile or apply for a job, you provide information about you to each PMI affiliate, and each PMI affiliate may process information about you for its own recruitment purposes. This is the case even where you respond to a job posting that mentions a particular PMI affiliate or country/territory.

How do we collect information about you?

We may collect information about you in various ways.

  • You may provide us with information directly (e.g. when creating an account, creating a candidate profile, applying for a job, attending an interview, completing a test/assessment, sending an e-mail, or making a call to us).
  • We may collect information automatically (e.g. when you use a PMI app or website).
  • We may acquire information from third parties (e.g. from recruitment agencies, reference providers, (where permitted by law) background screening providers and publicly-available sources, such as a company website, internet searches or social media platforms such as LinkedIn).

In this notice, we refer to all the methods by which you are in contact with us as “PMI touchpoints”. PMI touchpoints include both physical (for example, offices, retail outlets and events), and digital (for example, apps and websites).

Find out more…

We may collect information that you provide directly. Typically this will happen when you:

  • sign up to be a member of our databases (this could be, for example, in person, via app, or online when you create an account and a candidate profile);
  • submit a job application and supporting information to us;
  • participate in an interview;
  • complete a test/assessment;
  • provide job acceptance, background screening and on-boarding information (where applicable);
  • download, or use, a digital touchpoint (e.g. an app or a website);
  • contact us through a PMI touchpoint, or by e-mail, social media or telephone;
  • register to receive press releases, e-mail alerts, or job updates;
  • participate in surveys or (where permitted by law) competitions or promotions; or
  • attend an event that a PMI affiliate has organised.

We may collect information about you automatically. Typically this will happen when you:

  • visit our offices (e.g. through video (CCTV) recording and building access logs);
  • complete online skills and aptitude tests;
  • attend an event that a PMI affiliate has organised (e.g. through sensors at the event that connect with mobile technology);
  • use PMI’s systems or PMI-issued devices such as a laptop;
  • communicate with us (for example, through a PMI touchpoint; or by e-mail, or social media platforms);
  • use PMI touchpoints (e.g. through tracking mechanisms in an app or a website); or
  • make public posts on social media platforms that we follow (for example, so that we can understand public opinion).

We may also collect information about you automatically through the use of cookies and similar tracking technologies on digital PMI touchpoints. The specific cookies and technologies used will depend on the PMI touchpoint in question. To learn about the cookies (including Google analytics cookies) and similar technologies used on a touchpoint, including how you can accept or refuse cookies, please see the cookie notice made available on or through that touchpoint. For example, to learn about cookies or similar technologies used on the www.pmi.com website, visit the pmi.com cookie notice, a link to which is available in the footer to every page of the website. The pmi.com cookie notice is also available here.

Where permitted by law, we may acquire information about you from third parties. This may include:

  • information from recruitment agencies;
  • information shared between PMI affiliates;
  • information from third party social media sites (for example, if you choose to simplify your login process to the job platform to allow direct access once you have signed in to your third party social media account, like Gmail or Yahoo!, or if you want to upload information to the platform (for example, from LinkedIn) instead of manually completing an application); and
  • publicly-available profile information (such as your experience, skills and interests) on third party social media sites (such as LinkedIn).

We may also collect information in other contexts made apparent to you at the time.

What information about you do we collect?

We may collect various types of information about you:

  • information necessary to manage and administer our relationship with you and to run our business, including to meet our legal and regulatory obligations (e.g. verifying your identity, your right to work, application details and, where permitted by law, your suitability for a job using background checks)
  • information you give us in your candidate profile, job application, forms or surveys
  • information necessary to assess your eligibility for a role, shortlist and select candidates
  • information about your visits to our offices and attendance at events
  • where applicable, information necessary to offer you a job and on-board you (such as issuing an offer, drafting an employment contract, providing benefits information and arranging access to systems)
  • information gathered as part of our monitoring of the recruitment process
  • information you give us in calls you make to us or e-mails you send to us
  • information about your preferences, interests and career aspirations
  • information gathered as part of business analytics and improvements

find out more…

Information that we collect from you directly will be apparent from the context in which you provide it. For example:

  • during the application and recruitment process, you provide your name, contact details, skills, qualifications and experience information;
  • during any interview or assessment you provide answers to questions;
  • you may provide information on your career aspirations and interests so that we can send you relevant opportunities; and
  • we may collect information that enables us to verify your identity and right to work, for example a copy of an identity document or your facial image.

Information that we collect automatically will generally concern:

  • details of your visits to our offices, attendance at interviews, assessments and events (such as time and duration);
  • details of your use of PMI touchpoints (such as applications/information accessed, time and duration, information searched); and
  • your devices (such as IP address or other unique device identifier, location data, details of any cookies that we may have stored on your device).

Information that we collect from third parties will generally consist of:

  • job application information from recruitment agencies (where you apply for a role via a recruitment agency);
  • references and work certificates from your previous employers or your other reference providers;
  • where permitted by law, background screening information as appropriate for the role (such as identity document validation, address verification, confirmation of qualifications and employment history, searches against sanctions and politically exposed persons lists, and details of any convictions);
  • login information and profile information from third party social media sites (for example, if you choose to simplify your login process to the job platform to allow direct access once you have signed in to your third party social media account, like Gmail or Yahoo!, or if you want to upload information to the platform (for example, from LinkedIn) instead of manually completing an application); and
  • publicly-available profile information (such as your role, skills, qualifications, experience and interests, for example from a company website, internet searches or on social media platforms such as LinkedIn).

Information we collect and process about you may include your:

  • name
  • password
  • address including home and correspondence
  • contact details including personal e-mail address and home/personal mobile phone number where these details are provided as part of your application
  • sex
  • cover letter
  • resume/job application, including personal and professional information
  • how you heard about the job
  • eligibility to work, including passport or other official identification document
  • references
  • qualification transcripts and certificates
  • education and employment history
  • jobs applied for
  • current, expected and offered employment terms and conditions (e.g. pay, hours of work, holidays, benefits)
  • interview notes and assessment results
  • application outcome and reason
  • reason for withdrawing your job submission (where applicable)
  • social insurance and personal income tax data
  • tax code
  • date of birth
  • family status and situation
  • bank account information (if you are offered a job and accept it)
  • photographs and video recordings
  • system user information
  • automated records of your use of PMI information systems
  • information submitted to us when using information systems that PMI affiliates operate
  • information about you visits to our offices and events

We may also collect and process special categories of information about you such as your:

  • racial or ethnic origin (e.g. for equal opportunities monitoring)
  • political opinions (only if you voluntarily share this information)
  • religious or philosophical beliefs (e.g. for reasonable accommodation)
  • sexual orientation (e.g. for equal opportunities monitoring or if you voluntarily share this information)
  • trade union membership (only if you voluntarily share this information)
  • data concerning your health, including any disability (e.g. for reasonable accommodation)

We will process these types of data if you voluntarily share them with us, if we have a legal obligation to process the information and, in relation the recruitment process, to provide reasonable accommodation.

For what purposes do we use information about you, and on what legal basis?

In this section, we describe the purposes for which we use personal information. However, this is a global notice, and where the laws of a country restrict or prohibit certain activities described in this notice, we will not use information about you for those purposes in that country.

Subject to the above, we use information about you for the following purposes:

  • perform checks on identity, role eligibility and right to work
  • verify employment history, qualifications, experience and references
  • where permitted by law, perform candidate vetting and background screening
  • perform recruitment and selection, including interviews, assessments, and psychometric profiling, shortlisting, job offer and benefits (where applicable)
  • business administration, including record keeping obligations
  • where applicable, pre-employment administration and management, including preparation of contractual and non-contractual documents, and arranging systems and building access
  • monitoring of the recruitment process

The legal basis for our use of information about you is one of the following (which we explain in more detail in the “find out more” section):

  • compliance with a legal obligation to which we are subject
  • to take steps at your request prior to entering into a contract
  • a legitimate business interest that is not overridden by interests you have to protect the information
  • where none of the above applies, your consent (which we will ask for before we process the information)

find out more…

The purposes for which we use information about you, with corresponding methods of collection and legal basis for use, are:

Purpose Method of collection and legal basis for Processing
Comply with regulatory obligations

·     identity and right to work checks

·     assessing the demographic makeup of our workforce, such as equal opportunities monitoring

This information is generally provided to us by you directly.

We use it because it is necessary for us to comply with a legal obligation to employ only people with a right to work in the country where the job is located and to monitor the demographics of our workforce, or, in countries where there is no such legal obligation, because we have a legitimate business interest to run our business in accordance with good practice requirements that is not overridden by your interests, rights and freedoms to protect information about you.

Application verification and candidate vetting (where permitted by law)

·     verifying employment history, qualifications, experience and references

·     where permitted by law, candidate vetting and background screening

This will typically be a combination of information that you provide directly (as part of your application) and, during the later stages of our recruitment process, information that we collect from third parties such as references and (where permitted by law) criminal record checks.

We use it because it is necessary for us to comply with a legal obligation to employ only eligible and suitable people, or, in countries where there is no such legal obligation, we use it because we have a legitimate business interest in ensuring your suitability and eligibility for a role with us that is not overridden by your interests, rights and freedoms to restrict use of information about you.

Recruitment and selection

·     candidate recruitment and selection, including interviews, assessments, psychometric testing

·     review of application forms and online assessment tools and skills tests

·     shortlisting

·     making an offer and agreeing benefits (where applicable)

·     group, panel and individual interview

·     informing you of the outcome of applications and of other opportunities that may be of interest, advertising positions, and monitoring interest

·     record keeping

This will typically be a combination of information that you provide directly (at various stages during the recruitment process) and, information that we collect from third parties such as any recruiter or social media platform you use to share information about you with us.

We use it because we have a legitimate business interest in recruiting and selecting candidates for roles with us (including carrying out interviews and assessments), and keeping records of the recruitment process, that is not overridden by your interests, rights and freedoms to restrict use of information about you.

Pre-employment workforce management

·     hiring activities such as preparing, issuing and signing employment contract

·     establishing electronic personal record and personal files

·     creating payroll records

·     enrolling new employee benefits

·     reporting employment commencement to legal authorities

This information is collected during the later stages of our recruitment process and during the processing of job offer and/or acceptance.

We use it because we have a legitimate business interest in preparing necessary employment documents and completing necessary internal records not overridden by your interests, rights and freedoms to restrict use of information about you.

Monitoring of the recruitment process

·     quality control and checks to monitor compliance with our recruitment process

This information is collected throughout our recruitment process.

We use it because we have a legitimate business interest in checking compliance with our recruitment process that is not overridden by your interests, rights and freedoms to restrict use of information about you.

Support for all the above purposes

·     administering your accounts

·     enabling you to use PMI touchpoints (for example, allowing you to remain logged in to sections of a touchpoint that are reserved for authorized users only, and administering your language preference)

·     corresponding with you

·     managing your appointments with us (for example, regarding an interview or assessment)

·     enhancing your experiences

·     administration and troubleshooting

This will typically be a combination of information that you provide to us (name, password (or equivalent)) and information that we collect automatically (for example, information about your device, and cookies and similar tracking technologies).

We use it on the grounds that correspond to the purpose for using the information that we are supporting. For example, where we administer your account to support a job search or application, we use the information on the grounds that we have a legitimate business interest to run our business and recruit staff that is not overridden by your interests, rights and freedoms to protect information about you.

Business analytics and improvements

·     assessing the effectiveness of our recruitment process

·     business analytics and improvements (including for our recruitment process, events, digital PMI touchpoints and the information that we (or our affiliates) provide to job candidates)

This will typically be a combination of information that you provide to us; information that we collect automatically; and (where permitted by law) information that we acquire from third parties.

We use it on the grounds that we have a legitimate business interest to analyze, assess the effectiveness of and improve our recruitment efforts, processes, PMI touchpoints, and events that is not overridden by interests, rights and freedoms to protect information about you.

Where we do not base our use of information about you on one of the above legal bases, we will ask for your consent before we process the information (these cases will be clear from the context). We may from time to time ask for your explicit consent to process special categories of information about you.

In some instances, we may use information about you in ways that are not described above. Where this is the case, we will provide a supplemental privacy notice that explains such use. You should read any supplemental notice in conjunction with this notice.

Do we make any automated decisions?

We may make automated decisions on any of the matters set out in this notice (for example, whom to include on a shortlist for interview). If we do this, we will draw this to your attention at the time, together with information about the logic involved in the decision, as well as the significance and the envisaged consequences for you of such use of information about you.

Who do we share your information with, and for what purposes?

We may share information about you with:

  • PMI affiliates;
  • third parties who provide PMI affiliates or you with products or services (such as recruitment agencies, background screening and online assessment providers); and
  • other third parties, where required or permitted by law (such as regulatory authorities; government departments; past, potential or future employers; and in the context of organisational restructuring).

find out more…

Sharing data with other PMI affiliates

  • Information about you will be shared with Philip Morris International Management SA (based in Lausanne, Switzerland), which is the place of central administration of personal data processing for PMI affiliates. Information about you may also be shared with Philip Morris International IT Service Centre Sàrl (based in Lausanne, Switzerland) as technology provider for PMI affiliates. Philip Morris International Management SA and (to the extent it has access) Philip Morris International IT Service Centre Sàrl process the information about you for all the purposes described in this notice.
  • Information about you will be shared with other PMI affiliates for all the purposes described in this notice (for example, to determine if you meet the requirements of jobs available at any of the PMI affiliates). When you upload information to the job search platform, it will be made available to each PMI affiliate, each PMI affiliate may process it for its own recruitment purposes. This is the case even where you respond to a job posting that mentions a particular PMI affiliate. Accordingly, information about you may be transferred globally (if your information is collected within the European Economic Area, this means that your information may be transferred outside it).

Details of PMI affiliates and the countries in which they are established are available here.

Sharing data with Third Parties

  • We may share information about you with third parties who provide PMI affiliates or you with products or services (such as recruitment agencies, background screening providers, online assessment providers, information services providers and identity verification providers).
  • We may share information about you with other third parties, where required or permitted by law, for example: regulatory authorities; government departments; in response to a request from law enforcement authorities or other government officials; when we consider disclosure to be necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity; and in the context of organisational restructuring.
  • If we arrange travel or accommodation for you (e.g. if you need to travel to attend an interview), information about you may be shared with third parties who arrange travel and accommodation, provide transport or travel-related services, such as travel agents, online booking providers, ticketing agents, airlines, car hire companies, rail providers and hotels. These third parties will use information about you for their own purposes (for example, to discharge their obligations to provide transport or accommodation to you) and you should check their privacy notices for further details about their use of information about you.

Where might information about you be sent?

As with any multinational organisation, PMI affiliates transfer information globally. When you upload information to the job search platform, you provide it to all PMI affiliates, each of which may process it for its own recruitment purposes. This is the case even where you respond to a job posting that mentions a particular PMI affiliate. Accordingly, information about you may be transferred globally (if your information is collected within the European Economic Area, this means that your information may be transferred outside it).

find out more…

When using information as described in this notice, information about you may be transferred either within or outside the country or territory where it was collected, including to a country or territory that may not have equivalent data protection standards.

PMI affiliates within the European Economic Area (“EEA”) will transfer personal information to PMI affiliates outside the EEA. For example, to facilitate the operation of a global business. In all cases, the transfer will be:

  • on the basis of a European Commission adequacy decision;
  • subject to appropriate safeguards, for example the EU Model Contracts; or
  • necessary to discharge obligations under a contract between you and us (or the implementation of pre-contractual measures taken at your request) or for the conclusion or performance of a contract concluded in your interest between us and a third party, such as in relation to travel arrangements.

In all cases, appropriate security measures for the protection of personal information will be applied in those countries or territories, in accordance with applicable data protection laws.

How do we protect information about you?

We implement appropriate technical and organisational measures to protect personal information that we hold from unauthorised disclosure, use, alteration or destruction. Where appropriate, we use encryption and other technologies that can assist in securing the information you provide. We also require our service providers to comply with strict data privacy and security requirements.

How long will information about you be kept?

We will retain information about you for the period necessary to fulfil the purposes for which the information was collected. After that, we will delete it. The period will vary depending on the purposes for which the information was collected. Note that in some circumstances, you have the right to request us to delete the information. Also, we are sometimes legally obliged to retain the information, for example, for tax and accounting purposes.

find out more…

Typically, we retain data based on the criteria described in the table below:

Type Explanation/typical retention criteria
·     recruitment process data If you apply for a job with us, we will keep a record of your application and retain it while it remains relevant to our relationship, for example during the recruitment process, to tell you about other opportunities that may be of interest and, if your application is successful, during your employment with us.

Typically, information about you is kept for up to 12 months after the date on which you last logged into the recruitment platform. As a minimum, we keep records of the recruitment process for the statutory period in which a claim arising from the recruitment process may be brought. We may keep information about you for longer if you apply for certain types of jobs and this is allowed or required in the country where that job is based.

Other records relevant to the recruitment process (for example, assessment results and background checks) are retained for a short period until more permanent records are made (for example, a record of the result of the assessment or background check).

·     visitor records If you visit our buildings, visitor records are retained typically for a period of only a few months.
·     CCTV If you visit our buildings, CCTV records are retained typically for a period of only a few days.
·     system audit logs System audit logs are retained typically for a period of only a few months.
·     business analytics Business analytics data is typically collected automatically when you use PMI touchpoints and anonymised/aggregated shortly afterwards.

What rights and options do you have?

You may have some or all of the following rights in respect of information about you that we hold:

  • request us to give you access to it;
  • request us to rectify it, update it, or erase it;
  • request us to restrict our using it, in certain circumstances;
  • object to our using it, in certain circumstances;
  • withdraw your consent to our using it;
  • data portability, in certain circumstances;
  • opt out from our using it for direct marketing; and
  • lodge a complaint with the supervisory authority in your country (if there is one).

We offer you easy ways to exercise these rights, such as “unsubscribe” links, or by contacting YourHR@pmi.com or by using the contacts in the paragraph “who should you contact with questions?” at the end of this notice.

find out more…

The rights you have depend on the laws of your country. If you are in the European Economic Area, you will have the rights set out in the table below. If you are elsewhere, you can contact us (see the paragraph “who should you contact with questions?” at the end of this notice) to find out more.

Right in respect of the information about you that we hold Further detail (note: certain legal limits to all these rights apply)
·     to request us to give you access to it This is confirmation of:

·     whether or not we process information about you;

·     our name and contact details;

·     the purpose of the processing;

·     the categories of information concerned;

·     the categories of persons with whom we share the information and, where any person is outside the EEA and does not benefit from a European Commission adequacy decision, the appropriate safeguards for protecting the information;

·     (if we have it) the source of the information, if we did not collect it from you;

·     (to the extent we do any, which will have been brought to your attention) the existence of automated decision-making, including profiling, that produces legal effects concerning you, or significantly affects you in a similar way, and information about the logic involved, as well as the significance and the envisaged consequences for you of such use of information about you; and

·     the criteria for determining the period for which we will store the information.

On your request we will provide you with a copy of the information about you that we use (provided this does not affect the rights and freedoms of others).

·     to request us to rectify or update it This applies if the information we hold is inaccurate or incomplete.
·     to request us to erase it This applies if:

·     the information we hold is no longer necessary in relation to the purposes for which we use it;

·     we use the information on the basis of your consent and you withdraw your consent (in this case, we will remember not to contact you again, unless you tell us you want us to delete all information about you in which case we will respect your wishes);

·     we use the information on the basis of legitimate interest and we find that, following your objection, we do not have an overriding interest in continuing to use it;

·     the information was unlawfully obtained or used; or

·     to comply with a legal obligation.

·     to request us to restrict our processing of it This right applies, temporarily while we look into your case, if you:

·     contest the accuracy of the information we use; or

·     have objected to our using the information on the basis of legitimate interest

(if you make use of your right in these cases, we will tell you before we use the information again).

This right applies also if:

·     our use is unlawful and you oppose the erasure of the data; or

·     we no longer need the data, but you require it to establish a legal case.

·     to object to our processing it You have two rights here:

(i)     if we use information about you for direct marketing: you can “opt out” (without the need to justify it) and we will comply with your request; and

(ii)    if we use the information about you on the basis of legitimate interest for purposes other than direct marketing, you can object to our using it for those purposes, giving an explanation of your particular situation, and we will consider your objection.

·     to withdraw your consent to our using it This applies if the legal basis on which we use the information about you is consent. These cases will be clear from the context.
·     to challenge certain automated decisions If, as part of our recruitment process, we make a decision based solely on automated processing, and that decision produces legal effects concerning you or similarly significantly affects you (for example, you are not invited to interview on the basis of the decision), you have a right to contest the decision, to request us to have a human review that decision, and to express your point of view.

This right does not apply if:

(i)     you gave your consent to the decision beforehand;

(ii)    that use of information about you is necessary for entering into; or the performance of, a contract between you and us; or

(iii)   it is authorized by law.

As mentioned above, these decisions will be drawn to your attention at the time, together with information about the logic involved in the decision, as well as the significance and the envisaged consequences for you of such use of information about you.

·     to data portability If:

(i)  you have provided data to us; and

(ii) we use that data, by automated means, and on the basis either of your consent, or on the basis of discharging our contractual obligations to you,

then you have the right to receive the data back from us in a commonly used format, and the right to require us to transmit the data to someone else if it is technically feasible for us to do so.

·     to lodge a complaint with the supervisory authority in your country Each European Economic Area country must provide for one or more public authorities for this purpose.

You can find their contact details here:

http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

For other countries please consult the website of your country’s authority.

Country-specific additional points

According to which country you are in, you may have some additional rights.

find out more…

  • If you are in France, you have the right to give us instructions regarding information we hold about you in the event of your death (specifically, whether we should store or delete it, and whether others should have the right to see it). You may:
  • issue general instructions to a digital service provider registered with the French data protection supervisory authority (called “CNIL”) (these instructions apply to all use of information about you); or
  • give us specific instructions that apply only to our use of information about you.

Your instructions may require us to transfer information about you to a third party (but where the information contains information about others, our obligation to respect also their privacy rights might mean that we can’t follow your instructions to the letter). You may appoint a third party to be responsible for ensuring your instructions are followed. If you do not appoint a third party in that way, you successors will (unless you specify otherwise in your instructions) be entitled to exercise your rights over information about you after your death:

  • in order to administer your estate (in which case your successors will be able to access information about you to identify and obtain information that could be useful to administer your estate, including any digital goods or data that could be considered a family memory that is transferable to your successors); and
  • to ensure that parties using information about you take into account your death (such as closing your account, and restricting the use of, or updating, information about you).

You may amend or revoke your instructions at any time. For further information on the processing of information about you in the event of your death, see Article 40-1 of the law 78-17 dated 6 January 1978. When you die, by default, you will stop using your account and we will delete information about you in accordance with our retention policies (see the paragraph “How long will information about you be kept?” for details).

Who should you contact with questions?

If you have any questions, or wish to exercise any of your rights, you can find contact details for the relevant PMI affiliate, and if applicable data protection officer, here. Contact details will also be given in any communications that a PMI affiliate sends you.

If your country has a data protection authority, you have a right to contact it with any questions or concerns. If the relevant PMI affiliate cannot resolve your questions or concerns, you also have the right to seek judicial remedy before a national court.

Changes to this notice

We may update this notice (and any supplemental privacy notice), from time to time. We will notify of the changes where required by law to do so.

Last modified [15/05/2018]. You can find previous versions of this notice here.