Candidate & Employee Privacy Notice
Scope and Overview
FSA Store Inc. and its subsidiaries, affiliates, and related entities (collectively, "Company," "we," "us," or “our”) are committed to protecting the privacy and security of your personal data. As a candidate for employment and employee, you are in a unique situation because you may also at times be our customer. Because of this, the information we collect about you and use falls into two categories: your customer information and your employment information. When you shop with us, you are acting as a customer of ours, and your personal information is protected by the Privacy Notice posted on our e-commerce websites. When you are at work or using company-owned equipment, the information we collect about you and use is considered “employment information.” This Candidate and Employee Privacy Notice (this “Notice”) provides increased transparency around how we collect and process personal data from the time you apply for a job with us through the termination of your employment with us. As such, this Notice applies to candidates for employment as well as current and former employees of the Company.
This Notice describes the categories of personal data that we collect, how we use your personal data, how we secure your personal data, when we may disclose your personal data to third parties, and when we may transfer your personal data outside of your home jurisdiction. This Notice also describes your rights regarding the personal data that we hold about you, including how you can access, correct, and request erasure of your personal data.
We will only process your personal data in accordance with this Notice unless otherwise required by applicable law. We take steps to ensure that the personal data we collect about you is adequate, relevant, not excessive, and processed for limited purposes.
Collection of Personal Data
For the purposes of this Privacy Notice, personal data means any information about an identifiable individual. Personal data excludes anonymous or de-identified data that is not associated with a particular individual. To carry out our activities and obligations as an employer, we may collect, store, and process the following categories of personal data, some of which we require to administer the employment relationship with you:
​
-
Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
-
Date of birth.
-
Gender.
-
Race.
-
Marital and dependent status, only when needed to administer benefits such as health insurance or pension benefits.
-
Beneficiary and emergency contact information.
-
Government identification numbers such as social insurance or other national insurance number, driver's license number, or other identification card number.
-
Bank account details and payroll information.
-
Wage and benefit information.
-
Compensation history.
-
Performance information.
-
Insurance enrollment information.
-
Start date and job title.
-
Location of employment.
-
Education and training.
-
Employment records (including professional memberships, references, work history, and proof of work eligibility).
-
Background and criminal information, such as background checks and criminal convictions consistent with applicable law.
-
Photograph.
-
Internet, application, and network activity, such as cookie IDs and browser visits.
-
Individual preferences and characteristics, such as information related to any assessment you may take as part of the interview screening process upon hire or during your tenure for promotional opportunities.
-
Other personal details included in a CV, resume, application form or cover letter or that you otherwise voluntarily provide to us.
The personal data listed in this notice is mandatory in order for us to administer the employment relationship. Failure to provide or allow us to process mandatory personal data may affect our ability to accomplish the purposes stated in this Notice.
We will collect the majority of the personal data that we process directly from you. In limited circumstances third parties may provide your personal data to us, such as former employers or official bodies (such as criminal record bureaus).
Sources of Personal Data
​
-
We may obtain and combine personal information from different sources, as provided below:
-
Provided directly by you or a member of your household
-
Collected through technology on company-owned property
-
Collected from one of our subsidiaries, affiliates, or related entities
-
Collected from an external third-party source
Use of Personal Data
​
We only process your personal data where applicable law permits or requires it, including where the processing is necessary for the performance of our employment contract with you, where the processing is necessary to comply with a legal obligation that applies to us as your employer, for our legitimate interests or the legitimate interests of third parties, to protect your vital interests, or with your consent if applicable law requires consent. We may process your personal data for the following legitimate business purposes and for the purposes of performing the employment contract with you:
​
-
Employee administration (including payroll and benefits administration).
-
Business management and planning.
-
Processing employee work-related claims (for example, insurance and worker's compensation claims).
-
Accounting and auditing.
-
Conducting performance reviews and determining performance requirements.
-
Assessing qualifications for a particular job or task.
-
Gathering evidence for disciplinary action or termination.
-
Complying with applicable law.
-
Complying with health and safety obligations.
-
Education, training, and development requirements.
-
Health administration services.
-
To protect the security and integrity of our systems, processes and our business, and help prevent fraud.
​
We will only process your personal data for the purposes we collected it for or for compatible purposes. If we need to process your personal data for an incompatible purpose, we will provide notice to you and, if required by law, seek your consent. We may process your personal data without your knowledge or consent where required by applicable law or regulation.
We may also process your personal data for our own legitimate interests, including for the following purposes:
​​
-
To prevent fraud.
-
To ensure network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution.
-
To support internal administration with our affiliated entities.
-
To conduct data analytics analyses to review and better understand employee retention and attrition rates.
You will not be subject to decisions based on automated data processing without your prior consent.
​
Collection and Use of Special Categories of Personal Data
The following special categories of personal data are considered sensitive personal information (or SPI) and may receive special protection:
​​
-
Racial or ethnic origin.
-
Political opinions.
-
Religious or philosophical beliefs.
-
Trade union membership.
-
Genetic data.
-
Biometric data.
-
Data concerning health.
-
Data concerning sex life or sexual orientation.
​
Data relating to criminal convictions and offences may also receive special protection under the laws of your jurisdiction.
We may collect and process the following special categories of personal data when you voluntarily provide them for the following legitimate business purposes, to carry out our obligations under employment law, for the performance of the employment contract, or as applicable law otherwise permits:
​
-
Physical or mental health information or disability status to comply with health and safety obligations in the workplace, to make appropriate workplace accommodations, as part of sickness absence monitoring, and to administer benefits.
-
Race or ethnic origin, religious affiliation, health information and sexual orientation to ensure meaningful equal opportunity monitoring and reporting.
​
Where we have a legitimate need to process special categories of personal data for purposes not identified above, we will only do so only after providing you with notice and, if required by law, obtaining your prior, express consent.
​
Data Sharing
​
We will only disclose your personal data to third parties where required by law or to our employees, contractors, designated agents, or third-party service providers who require such information to assist us with administering the employment relationship with you, including third-party service providers who provide services to us or on our behalf. Third-party service providers may include, but are not limited to, payroll processors, benefits administration providers, and data storage or hosting providers. These third-party service providers may be located outside of your home jurisdiction.
We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us as your employer. We do not permit our third-party service providers who process your personal data on our behalf to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes in accordance with our instructions.
We may also disclose your personal data for the following additional purposes where permitted or required by applicable law:
​​
-
To comply with legal obligations or valid legal processes such as search warrants, subpoenas, or court orders. When we disclose your personal data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum personal data necessary for the specific purpose and circumstances.
-
To protect our rights and property.
-
During emergency situations or where necessary to protect the safety of persons.
-
Where the personal data is publicly available.
-
If a business transfer or change in ownership occurs and the disclosure is necessary to complete the transaction. In these circumstances, we will limit data sharing to what is absolutely necessary, and we will anonymize the data where possible.
-
For additional purposes with your consent where such consent is required by law.
​
Categories of Personal Information We Disclose to Each Type of Third Party
​
We may disclose your personal information with certain categories of third parties, as described below.
​
​
Category of Personal Information Disclosed
Category of Third-Party Recipient
Background and Criminal Information
Recruitment services; Local, state, or federal government entities
Financial Information
Service providers that receive data to provide services to us (e.g., analytics providers, advertising networks, cloud storage providers, etc.); Recruitment services; Local, state, or federal government entities
Demographic Information
Service providers that receive data to provide services to us (e.g., analytics providers, advertising networks, cloud storage providers, etc.); Recruitment services; Local, state, or federal government entities
Geolocation
Service providers that receive data to provide services to us (e.g., analytics providers, advertising networks, cloud storage providers, etc.); Recruitment services; Local, state, or federal government entities
Family Information
Recruitment services; Local, state, or federal government entities
Data Security
​
We have implemented appropriate physical, technical, and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure. In addition, we limit access to personal data to those employees, agents, contractors, and other third parties that have a legitimate business need for such access.
​
Data Retention
​
Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, as required to satisfy any legal, accounting, or reporting obligations, or as necessary to resolve disputes. To determine the appropriate retention period for personal data, we consider applicable legal requirements, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means. We specify the retention periods for your personal data in our data retention policy.
​
Under some circumstances we may anonymize your personal data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent. Once you are no longer an employee of the company, we will retain and securely destroy your personal data in accordance with our document retention policy and applicable laws and regulations.
​
Your Rights
​
What Are Your California Privacy Rights?
​
If you are a California resident, you can make certain requests regarding your personal information, and we will fulfill each request to the extent required by law. If we are unable to comply with your request in whole or in part, we will notify you with reasons for the denial. We do not offer the option for you to request we stop selling your personal information or sharing it for cross-context behavioral advertising because we do not conduct such selling or sharing of our candidates or current or former employee’s personal information.
As stated in more detail below, you can request that we:
-
Provide you with access to a copy of and certain details regarding the personal information we have about you.
-
Delete your personal information.
-
Correct your inaccurate personal information.
-
Limit the use or disclosure of your sensitive personal information (SPI).
​
To exercise any of these privacy rights, follow the instructions below specific to the type of request. Once your identity has been verified, we will work with you to process your request.
​
-
Request to Access My Personal Information: You have the right to request access to the personal information we may have collected about you. To access your personal information, contact humanresources@fsastore.com. Requests to access your personal information may be submitted up to two times in a rolling twelve-month period. In response, we will return to you the following categories of information, to the extent required by law:
-
The categories of personal information we have collected about you.
-
The categories of sources from which we collect your personal information.
-
The business or commercial purpose for collecting, selling, or sharing your personal information.
-
The categories of third parties to whom we disclose personal information.
-
The specific pieces of personal information we have collected about you.
-
A list of categories of personal information that we have disclosed for a business purpose, along with the categories of third parties we disclosed it to.
-
-
Delete My Personal Information: You have the right to ask that we delete your personal information. Once we receive a request, we will delete the personal information (to the extent required by law) we hold about you as of the date of your request from our records and direct our service providers to do the same. To have your personal information deleted, contact humanresources@fsastore.com.
-
Correct My Personal Information: You have the right to ask that we correct the personal information we may have collected about you if that information is inaccurate. We reserve the right to request identifying documentation from you in certain circumstances, as permitted by law. To correct your personal information, contact humanresources@fsastore.com.
-
Limit the Use and Disclosure of SPI: You have the right to ask that we limit our use and disclosure of your SPI to certain purposes permitted by law and can do so by contacting humanresources@fsastore.com.
We will not discriminate against you for exercising your rights. Some programs or membership services require usage of personal information to function, so compliance with your request may impact those experiences.
​
Changes to This Privacy Notice
​
We reserve the right to update this Notice at any time, and we will provide you with a new Notice when we make any updates. If we would like to use your previously collected personal data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your personal data for a new or unrelated purpose. We may process your personal data without your knowledge or consent where required by applicable law or regulation.
​
Contact Us
​
If you have any questions about our processing of your personal data or would like to make an access or other request, please contact us at: humanresources@fsastore.com.
​
Effective Date: June 30, 2023