This Candidates Privacy Policy describes how  Saint James Operations Limited (or otherwise referred to herein as “the Companies”, “us” or “we”) treats your personal information and the data provided to us in order to be able to process your job application, in accordance with the Data Protection Act Chapter 586 of the laws of Malta and the General Data Protection Regulation (Regulation (EU) 2016/679; “GDPR”), and any other applicable law. We will manage any personal information you provide to us in the correct manner. The Personal Data will normally be provided to us when you show your interest in applying for one of our job vacancies and it is kept and processed by us as specified in this Policy.

You have accessed this Candidates Privacy Policy because you have applied or have shown interest in seeking a career with Saint James Operations Limited. Failure to provide your personal data as requested may prevent us from processing your job application. By reading this policy and proceeding with the application you are giving your explicit consent for the processing of your personal data including special categories of data.

WHO ARE WE?

We are Saint James Operations Limited, a Group of Maltese Hospitals and Clinics that provide an array of healthcare services.

Saint James Operations Limiteds’ registered address Saint James Hospital Group, Saint James Hospital, George Borg Olivier Street, Sliema, SLM 1087

Should you wish to contact us regarding data protection we have appointed a Data Protection Officer who may be contacted at [email protected].

WHY DO WE COLLECT PERSONAL DATA?

The purpose of this policy is to inform career candidates of their rights under GDPR and also outlines the Companies’ obligations.

This policy provides candidates with guidance on all their personal data related to processing, storage and transfer of personal data that is processed by the Companies.

Saint James Operations Limited provides Healthcare services and must ensure that its employees are duly qualified to provide such services. It must also ensure that its employees are properly qualified, healthy, identified and verified, and do not have any prior convictions that would render them unsuitable for occupying such sensitive positions of trust.

Saint James Operations Limited must also ensure that it has the required personal data to satisfy its legal obligations and contractual obligations towards the relevant authorities and the employees respectively.

WHAT PERSONAL DATA DO WE COLLECT?

Saint James Operations Limited will need to collect personal data from you to be able to process your job application in a fair and transparent manner and therefore must be in possession of the required data to do so. We also collect your personal data for the purpose of confirming your suitability for the position applied for when you voluntarily submitted your application with us.

We may collect and process the following types of personal data about you at this stage or later. The data will be marked accordingly:

Personal Data Item	Description
Identification data and contact details	Name and surname, Date of birth, place of birth, nationality,Copy of identity card Copy of passport information, tax identification number, national insurance number, address, email address. contact telephone numbers (landline and mobile) gender,Marital status and number of dependents.
CV	A copy of your CV/Resume, received from you or by one of the recruitment agencies if you have submitted your application through them.
Qualifications	Information regarding your employment history,reference letters from previous employers where applicable, education and training,MQRIC (for non-EU nationals/ nurses/care workers/doctors/specialists),For care workers: certification of training related to careFor nurses/doctors/specialists – local registrationFor nurses and carers PSV-Primary source verificationFit for work certificate Training records
Data related to criminal convictions	Police conduct certificate. Details of any criminal convictions that you declare. Police Conduct reports (PCC)Police Conduct Check details according to your job
Emergency contact details (only collected if candidate is accepted)	Contact details of your chosen designated trusted person. Next of kin, emergency contacts and their contact information.
Other Personal data	Credit historyIBAN number Employment and education history  Right to work information Location of employment (e.g., Malta, or regional offices).Career candidate’s general practitioner  Past Employment History.References. Payroll additional form if employed (provided by the Companies). FS3 & last payslip if employed
Special categories of data (only collected if candidate is accepted)	Biometric data for identity verification purposes and work attendance purposes.Health data such as any disability, permanent or current, which would require adjustments from our end in order to accommodate you within the recruiting process. Hepatitis B record Health screening (for non-EU nationals)

We may also collect information about data subjects indirectly from other sources, such as:

Source	Type of information
Recruitment Agencies	CV of prospective job candidates provided by the recruitment agency during the recruitment process.
References from former employers	Professional references, if any.
Publicly accessible sources, such as: Search engines, Online and paper media, Social media platforms such as LinkedIn	Newspaper articles, information on investigations, criminal or civil proceedings, information regarding your work history.

The next 3 sub- sections expand further on specific types of personal data that are more sensitive than the other data collected and deserve to be treated in more detail.

SPECIAL CATEGORIES OF DATA

Special categories of data include ethnic origin/race (information that reveals an individual’s ethnic or racial background), union membership, political, religion, medical health and its specific health categories. These include: medical history and any health records, genetic data, medical history and information regarding minors, biometric data, mental health information and assessments, sexual and reproductive health data, disability and occupational health data. Substance abuse and addiction treatment records, vaccination and immunization records, emergency health information and public health information.

Particular attention will be given to such data which shall only be collected and processed if absolutely necessary and in compliance with the applicable legislation. The data shall only be accessed by persons with a need to access it and it shall be afforded the necessary level of technical and organizational controls.

BIOMETRIC DATA

The collection of biometric data and its use must comply with GDPR. Such data is classified as a special category of data. Career candidates should be fully informed about how this data will be used, stored and protected.

Saint James Operations Limited career candidates must provide explicit consent for the collection and processing of their biometric data. Strict technical and organizational controls are implemented to adequately protect special categories of data against unauthorized access.

Biometric data specifically facial recognition and palm reading, is done to clients’ identities to screen for potentially fraudulent activity. 

CRIMINAL CONVICTIONS AND OFFENCES

Saint James Operations Limited processes criminal record data to assess the suitability of career candidates. Criminal records are treated with the highest level of confidentiality and is accessible only to authorized personnel.

Criminal record data is retained only as long as necessary for its intended purpose and is securely destroyed after use.

WHAT LEGAL BASIS IS THERE FOR PROCESSING YOUR PERSONAL DATA?

Saint James Operations Limited rely on lawful legal basis to process your data. The legal basis under which Saint James Operations Limited process your Personal Data are (Articles mentioned are from the GDPR);

• Article 6(1)a – explicit consent
  • Article 6(1)b – contractual obligations
  • Article 6(1)c – legal obligations
  • Article 6(1)f – legitimate interest

In relation to Special categories of data Saint James Operations Limited rely on the following legal basis:

• Article 9(2)(a) Explicit consent;
• Article 9(2)(h) Purposes for the assessment of the working capacity of the employee.
• Article 9(2)b – legal obligations s.l 586.08 employment and social protection obligations

In relation to criminal convictions and offences the lawful basis we rely on to process this data are:

• explicit consent;
• legitimate interest; and,
• where necessary for compliance with legal obligations.

Given the sensitive nature of some of the personal data collected, Saint James Operations Limited have provided a matrix to show our legal basis for processing the various types of personal data:

Identification data and contact details	Legal obligations, Consent and Legitimate interest
CV	Consent and legitimate interest
Qualifications	Consent and legitimate interest
Data related to criminal convictions	Explicit consent and legitimate interest
Emergency contact details	Legitimate interest
Other Personal data	Legitimate interest/ contractual obligations
Special categories of data	Consent/ contractual obligation

WHERE DO WE STORE YOUR DATA?

Saint James Operations Limited acts as a data controller only for career candidates and employees. We implement industry standard precautions to ensure the confidentiality of your personal data remains secure within our Applicant tracking system, HR management and payroll system. Data is stored on Saint James Operations Limited servers located within the European Union. Hard copies are filed in secured lockable cabinets and the Companies premises. Training information is also stored on our servers with employee data maintained in digital and physical formats.

We consistently adhere to best security practices and standards, utilizing providers that guarantee an adequate level of security. Additionally, we may also store your personal data within our Group of companies, which are located within the EEA. We will always ensure to have the adequate security measures as required.

DO WE TRANSFER DATA TO THIRD COUNTRIES?

Personal data may be transferred to other companies within the Saint James Operations Limited brands and to third-party suppliers for the purpose of processing your application. We do not transfer any personal data outside of the EU. However, personal data transfers may be performed outside the territory of the EU/EEA. We will always ensure a similar degree of protection when transferring personal data outside the EU/EEA, using measures such as transferring to countries deemed to hold an adequate level of data protection by the European Commission, and/or implement Standard Contractual Clauses issued by the European Commission and any additional measures as required.  Saint James Operations Limited does not allow third parties to use your data for their own purposes, they only act in accordance with our instructions.

HOW LONG DO WE KEEP YOUR DATA FOR?

If you are successful with your application your personal information will be kept in accordance with our internal policies. If you are not successful, we will keep your data for as long as the applicant permits (unless you specifically contact us and request your data to be deleted), during which period we may contact you again should a future role arise that matches your profile. We also keep your data, in the event of a legal claim, to prove that we have not discriminated against candidates and that we have conducted the recruitment exercise in a fair and transparent manner. After this period, we will securely destroy your personal information in accordance with applicable laws and regulations.

If you wish to exercise your right to erasure before said period, you can do so by contacting us at [email protected].

We will do our best to comply with your request within a month upon confirmation of your identity.

WHAT ARE YOUR RIGHTS UNDER GDPR?

All candidates have the following rights under GDPR:

1. Right to be informed- Healthcare has to provide information to the data subjects, in line with the transparency and fairness requirements. As a minimum Saint James Operations Limited shall inform its career candidates via its privacy and cookie policies as applicable, unless the data subject is already aware of certain information of: the identity and contact details of the controller; contact details of the DPO; the purposes and legal basis for processing; categories of recipients of the personal data if any.
2. Your right of access – The right to ask us for copies of your personal information. Below please refer to the section below under the heading ‘How can I access my personal data?’ for more information on this matter.
3. Right to Rectification – Saint James Operations Limited shall receive requests from their career candidate to change their personal data and shall action them at the earliest. The new data provided should be verified as well as the identity of the data subject. The career candidate shall be informed of the changes and asked to confirm that they have been properly effected. The changes should be made on all systems where the Data Subjects data, i.e. career candidate, is being processed or stored.
4. Your Right to Erasure or Right to Be Forgotten (RTBF) – Saint James Operations Limited may receive requests from their career candidates to have their data erased. Such requests will normally be complied with unless  Saint James Operations Limited has a legitimate interest to continue processing such data, as for example, in cases where there could be suspicious fraudulent activity.
5. Your Right to Restrict Processing – The Companies may receive a request from a career candidate to not process his data for specific purposes such as marketing or notifications. Where possible such requests should be complied with, however, if the request affects the ability of Saint James Operations Limited to comply with legal or contractual obligations the data subject is to be notified accordingly.
6. Your right to object to processing – A career candidate can object to processing if such processing is carried out under points 5 and 6 of the legal basis for processing unless Saint James Operations Limited can prove that there are compelling grounds to continue such processing.
7. Right to object to decision based solely on automated decision-making processes. – A data subject may enquire about certain decisions made about his or her application to establish whether the decision was based solely by an automated decision-making process.  Saint James Operations Limited does not have any automated decision-making processes in place and every decision is a man made one.
8. Your right to data portability – A Saint James Operations Limited career candidate may request that their data is given to them so that they can transfer it or use it elsewhere. The data shall be provided to them in a format that is transferable and readable such as .csv, .pdf, .xml, .xls format or any other common format readable by normal applications generally found on normal personal computers and/or laptops or other devices.

HOW CAN I ACCESS MY PERSONAL DATA?

A candidate can request a copy of their personal data by making a request to Saint James Operations Limited by email, telephone, social media, facsimile or any other communication method available. The identity of the career candidate shall always be verified, and data shall be provided in a format that is easily accessible and readable. There is a 30 (thirty) day period in which we are obliged to provide the data and this timeline is normally respected. If there is to be a delay due to the volume of data then the data subject is shall be duly advised. All normal Subject Access Requests shall be handled for free.

You will not be able to take away your physical file and only copies of records can be provided.

You can exercise these rights by contacting us at [email protected].

You also have the right to lodge a complaint with our Data Protection Authority, the Information and Data Protection Commissioner, whose website may be found at https://idpc.org.mt/. Alternatively, you may also decide to lodge a complaint with your local Data Protection Authority if you are an EU citizen. You can find a list with your local Data Protection Authority contact details at https://edpb.europa.eu/about-edpb/board/members_en.

HOW DO WE SECURE YOUR PERSONAL DATA?

Saint James Operations Limited implements appropriate technical and organizational measures to protect career candidate’s personal data against unauthorized access, loss, destruction, or alteration.  Saint James Operations Limited adopts a risk based approach to handling personal data and implements the security measures based on a risk assessment. These measures include but are not limited to:

• Encryption
• Access controls
• Data minimization
• Regular Audits
• Network Security Devices
• Regular Back ups
• Policies and Procedures
• Organisational Controls

POLICY ACCEPTANCE

Saint James Operations Limited aims to protect the privacy and rights of its career candidates while maintaining the highest standard of data protection. By working with Saint James Operations Limited career candidates acknowledge that they have read, understood and agreed to comply with the terms outlined in this GDPR candidate policy.

This career candidate policy ensures Saint James Operations Limited meets the obligations under GDPR, particularly concerning the handling of special categories of personal data. By reading and submitting an application you are giving explicit consent for the processing of your data including special categories of data.