Privacy Policy

Our approach
CFC is committed to protecting your privacy. This Privacy Notice (the “Notice”) sets out details of the personal data we may collect, store and process when you apply for a position at CFC.

Who collects your data
In this Notice, reference to “we”, “us” or “CFC” means:, these are set out below:
  • CFC Underwriting Limited, company number: 03302887, registered address: 85 Gracechurch Street, London EC3V 0AA,
  • CFC Claims Limited, company number: 13897666, registered address: 85 Gracechurch Street, London EC3V 0AA, UK
  • CFC Security Limited, company number: 13497455, registered address: 85 Gracechurch Street, London EC3V 0AA,
  • CFC Europe S.A, company number: 0711.818.068, registered address: Bastion Tower,  5 Place du Champ de Mars, 1050 Brussels, Belgium,
  • CFC USA, Inc., DE file number: 7226403, registered address: Floor 16, 48 Wall Street, New York, NY 10005, United States
  • CFC Security Inc., DE file number: 7451204, registered address: 300 E. Highland Mall Blvd, Suite 300, Austin, Texas 78752, United States
  • CFC Security Pty Ltd, ACN: 096 518 820, registered address: Unit 22, 130 Bundall Road, Bundall QLD 4217, Australia
  • Solution Underwriting Agency Pty Ltd, ACN: 139 214 323, principal place of business: Suite 1 Level 5, 289 Flinders Lance, Melbourne, Victoria, 3000, Australia
  • CFC Underwriting Inc, company number: 1000496243, registered address: 3 Bridgman Avenue, Suite 204, Toronto, ON M5R 3V4, Canada
  • CFC Claims Inc, company number: 1000756274, registered address: 3 Bridgman Avenue, Suite 204, Toronto, ON M5R 3V4, Canada
The data controller will be the CFC group company that your application for employment or temporary work relates to.

If you have any questions about this Notice, or wish to exercise any of your rights, please contact CFC’s Data Protection Officer (‘DPO’) at dataprotection@cfc.com.

What information do we collect
We collect the following information about you during the recruitment and onboarding process:
  • General information provided in your curriculum vitae, application form, covering letter and during the interview process including: your name, date of birth, age, gender, home address, personal email address, education, qualifications and work experience details, and references.
  • Recruitment information such as your right to work documentation, your driving licence or passport to verify your identity, employment records, salary and benefits history.
  • Financial information such as your bank account details, payroll records, tax status information and national insurance number.
  • Information collected or created by us during the recruitment process including: correspondence between us, interview notes and test scores (where applicable). 
  • Information about criminal convictions (subject to local requirements):  for designated roles we will carry out background checks and checks on publicly available social media as part of the recruitment process.
  • Special categories of personal data including: racial and ethnic origin information and information relating to disabilities, religious beliefs or sexual orientation, physical or mental health information and immigration/naturalisation records (if this discloses racial/ethnic origin information).
We may collect your personal data from a range of sources, including: 
  • from you: we typically collect your personal data directly from you through the application and recruitment process;
  • from third parties: we may collect additional information from third parties including former employers, credit reference agencies or other background check agencies; and
  • criminal record check results to the extent allowed by law.
Why we use your personal data
We use the personal data collected from you for the following reasons: 
  • It is necessary for us to do so before entering into a contract with you, 
  • We need to process your information in order to comply with a legal or regulatory obligation. 
We or a third party process your personal data for a number of reasons including, but not limited to, the following reasons:   
  • to ensure the effective administration and management of the recruitment process, 
  • ensure we hire a suitable individual for a role and are able to make an informed recruiting decision, 
  • to verify the information you provide to us,
  • to deal with disputes and accidents and take legal or other professional advice, 
  • to check your legal entitlement to work in the country;
  • to administer your employment contract; and 
  • ascertain your fitness to work.
Why we use special category personal data

In addition to the lawful bases of processing identified above, we will process your special categories of personal data where permitted by the law, which will be in the following situations: 
  1. to consider whether we need to provide reasonable adjustments during the recruitment process; 
  2. for equal opportunity monitoring purposes; or 
  3. to comply with any legal or regulatory obligation.
We will use special categories of personal information collected about you because: 
  1. we need to do so to carry out our legal obligations; 
  2. it is necessary for the establishment, exercise or defence of legal claims in relation to court cases; 
  3. there is a substantial public interest; or
  4. it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.
Information about criminal convictions
As part of the recruitment process for designated roles, and if you are successful during the initial stages we (or our third party background check provider) may ask you for information in relation to criminal convictions and carry out criminal background checks.  We use this information and these checks 
  1. to assess your suitability for a regulated role; 
  2. to protect your interests, our interests and third party interests; 
  3. because it is necessary in relation to legal claims. 
We are allowed to use your personal information in this way where you have provided your consent. We are allowed to use your personal data in this way because it is part of our background vetting process and in compliance with our obligations in connection with employment or engagement.

Sharing your information
  • We may share information about you with the following third parties: 
  • employment agencies, 
  • Pinpoint our HR and recruitment system provider, 
  • background check and test providers, 
  • credit reference agencies, 
  • regulators and competent authorities, and 
  • within our group for administration, accounting and reporting purposes.
We use Pinpoint, an online software product provided by The Infuse Group Ltd (t/a Pinpoint Software) located at One Waverly Place, St Helier, Jersey, JE1 2PP, to assist with our recruitment process. We use Pinpoint to process personal information as a data processor on our behalf. Pinpoint is only entitled to process your personal data in accordance with our instructions.

If you would like further information about the data processors used by CFC including their contact details, please contact dataprotection@cfc.com.   

Automated decision-making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making. We may leverage a third-party Pinpoint’s technology to help us select appropriate candidates for us to consider based on criteria we have identified. The process of finding suitable candidates is automatic, however, any decision as to who we will engage to fill the job opening will be made by our team.

Information may be held at our offices and those of our group companies (see list above), and third party agencies, service providers, representatives and agents as described above.

The data that we collect from you and process using Pinpoint’s Services will be transferred to and stored at one of several datacentre locations in Amsterdam (Netherlands) and may be synchronised to one of several datacentre locations in London (United Kingdom) for backup and redundancy purposes. By submitting your personal data, you agree to this transfer, storing or processing.

International data transfers
To the extent necessary, your personal data may be transferred and/or disclosed within the CFC Group or to third parties as set out above in the section “Sharing your information”, where this is required during the recruitment process. This may include transfers to servers and databases outside the country where you provided us with your personal data. Where we need to send data internationally, we always consider our statutory obligations and rely on appropriate safeguards to ensure that your personal data is adequately protected. 
Where required by applicable law, we ensure that your privacy rights are adequately protected by appropriate technical, organisation, contractual or other lawful means including by:
  1. ensuring that transfers related to UK and EU data subjects within the CFC Group are subject to the EU Commission’s standard contractual clauses, and the ICO’s international data transfer addendum; AND
  2. where we need to send your personal data to third parties who are involved in providing you with services, we require them to provide contractual commitments that preserve your privacy rights, including by incorporating standard contractual clauses and completion of appropriate due diligence, where required.
If you would like to know more about how we protect your personal data and privacy rights, and for a copy of the safeguards we have in place, please contact dataprotection@cfc.com

How long we keep your information

We will retain your personal information for the duration of the recruitment process and for unsuccessful candidates, or a maximum period of 24 months from the end of the process subject to any exceptional circumstances and/or to comply with particular laws or regulations. If you are successful in applying for a position, your personal information will be retained for a further period, as set out in our Employee Privacy Notice.

Your rights
Under the UK GDPR and the EU GDPR, you may have the right to access, rectify, restrict, transfer, erase and object to the processing of your personal data. You may also have the right to lodge a complaint with the relevant data protection authority if they believe that their personal data is not being processed in accordance with applicable data protection law. 

The data subject rights listed below do not apply in all circumstances, and not all of these will be available to you if you are subject to data protection law outside the UK/EU. In certain circumstances, the rights listed below may be restricted if an appropriate exemption applies i.e. to prevent fraud or maintain privilege. If you have any questions about your data subject rights, please do contact us. 

To exercise your rights, or if you have any queries regarding your rights, please make your request in writing to the DPO whose contact details are available above. Please make your request clear as to which right(s) you would like to exercise. You may also be required to submit a proof of your identity.
  1. Right to make subject access request (SAR). Where we are processing your personal data as a data controller you may, where permitted by applicable law, request copies of your personal data. 
  2. Right to rectification. You may request that we rectify any inaccurate and/or complete any incomplete personal data.
  3. Right to withdraw consent. You may, as permitted by applicable law, withdraw your consent to the processing of your personal data at any time. Such withdrawal will not affect the lawfulness of processing based on your previous consent. 
  4. Right to object to processing. You may, as permitted by applicable law, request that we stop processing your personal data.
  5. Right to data portability. You may request for us to transfer your personal data to a third party of your choice.
  6. Right to erasure. You may request that we erase your personal data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your personal data, such as a legal obligation that we must comply with, or if retention is necessary for us to comply with our legal obligations.
  7. Your right to lodge a complaint with the supervisory authority. We suggest that you contact us about any questions or if you have a complaint in relation to how we process your personal data. However, you do have the right to contact the relevant supervisory authority directly, if you are unsure which supervisory authority to contact, please do let us know. To contact the Information Commissioner’s Office in the United Kingdom, please visit the ICO website for instructions.
To exercise your rights, please contact CFC’s DPO at dataprotection@cfc.com.

Data security
CFC takes the integrity and confidentiality of personal data very seriously. Personal data shall only be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and against accidental loss or damage. CFC is committed to ensuring that appropriate security is in place to prevent any personal data from being accidentally or deliberately compromised.

A range of organisational and technical security measures have been put in place to protect data - for example, access controls and firewalls are reviewed periodically by all entities, and CFC Underwriting Ltd holds the Cyber Essentials Certification.

General
This notice may be amended by CFC at any time at our sole discretion. You can always find the latest version of this notice on our website.

Where you apply for an opportunity posted by us, these privacy notice provisions will apply to our processing of your personal information, in addition to any other privacy notice available on our website.