SAS Global Talent Acquisition Data Privacy Notice


Effective Date: October 2024
Last Updated Date: October 2024

 

1.  Introduction


This Talent Acquisition Privacy Notice (“Notice”) applies to SAS Institute Inc. and its relevant affiliates (“SAS,” “us,” “we,” or “our”). This Notice describes how SAS collects, uses, stores, and discloses personal data about any candidates or other individuals who apply to an open position with us; who we contact for or who express interest in employment with us; who attend a recruitment event; who join our talent community; or who undergo an interview or assessment with us (“Candidate(s)”). This Notice also describes the rights that Candidates may have in relation to the personal data that we process about them. As used in this Notice, “personal data” means any information that relates to, identifies, or reasonably could be used to identify an individual, directly or indirectly.

If you are located in the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“U.K.”), please refer to Section 8 of this Notice for more information about which specific entity or entities act as a controller in relation to your personal data.

This Notice does NOT apply to:

  • Personal data that SAS processes about you if you interact with SAS websites, SAS mobile applications, our branded social media pages, and other non-career websites which we operate (collectively, our “Digital Properties”), or other ways you may interact with SAS as a user of our products and services. In such cases, the privacy notice posted on the Digital Properties you interact with will apply; or
  • Personal data that SAS processes about you if you are an employee with SAS, which is subject to our separate SAS Global Worker Data Privacy Statement.

If you are offered and you accept a role at SAS, the Candidate personal data collected during the recruiting process will become part of your employee file and will be governed by the SAS Global Worker Data Privacy Statement, a copy of which will be provided when you are on-boarded as an employee.


2. Candidate Personal Data We Collect and Disclose

What Candidate Personal Data Do We Collect?

Disclosures of Personal Data

Identifiers, such as name and contact information (including postal address, phone number, residence, and e-mail address) and other similar identifiers.

  • Service providers, such as recruiting software providers, background check providers, data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS
  • To which you have consented to the disclosure

Information in connection with you and/or your job application, such as assessments you complete during the application process and information collected through the application process.

  • Service providers, such as recruiting software providers, background check providers, data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS
  • To which you have consented to the disclosure

Information necessary to confirm your ability to work for SAS, which we may be legally required or permitted by local law to collect as part of the application process, such as immigration information, citizenship, proof of vaccination, or visa information.

  • Service providers, recruiting software providers, background check providers, such as data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS
  • To which you have consented to the disclosure

Public information, such as social media profiles and job boards (where permitted).

  • Service providers, such as recruiting software providers, background check providers, data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS
  • To which you have consented to the disclosure

Characteristics of protected classifications under California or Federal law, such as race or ethnic origin (optional), gender identity (optional), sexual orientation (optional), nationality (optional), ethnicity (optional), medical conditions (optional), military or veteran status (optional), and disability (optional).

  • Service providers, such as recruiting software providers, background check providers, data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS.
  • To which you have consented to the disclosure

Professional or employment information, such as certifications, résumé, curriculum vitae, cover letter, training courses, publications, transcript information, work history, professional qualifications, performance information, references provided, background information provided or confirmed by academic institutions and training or certification providers, information provided by recruiting or executive search agencies.

  • Service providers, such as recruiting software providers, background check providers, data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS.
  • To which you have consented to the disclosure

Education information, such as academic degrees, professional qualifications, certifications, training courses, publications, and transcript information.

  • Service providers, such as recruiting software providers, background check providers, data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS.
  • To which you have consented to the disclosure

Audio, electronic, visual, or other sensory information, such as CCTV footage at SAS physical office locations, badge entry and exit information (including badge photo), and interview recordings (where permissible).

  • Service providers, such as recruiting software providers, background check providers, data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS.
  • To which you have consented to the disclosure

Other information, such as any other personal data you voluntarily choose to provide in connection with your job application, such as compensation history.

  • Service providers, such as recruiting software providers, background check providers, data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS.
  • To which you have consented to the disclosure

Sensitive Personal Data, such as government identifiers, race or ethnic origin (optional), gender identity (optional), sexual orientation (optional), ethnicity (optional), medical conditions (optional), disability (optional), visa information, immigration information, and proof of vaccination.

  • Service providers, such as recruiting software providers, background check providers, data storage and platform providers
  • Law enforcement, government agencies, and other recipients for legal, security, and safety purposes
  • In connection with a corporate transaction, including if we sell, acquire, or merge all or some of our assets
  • Professional advisors, such as lawyers, accountants, and auditors
  • Affiliates and subsidiaries within SAS, which includes parent and ultimate holding companies, affiliates, subsidiaries, business units and other companies that we acquire in the future after they are made part of SAS.
  • To which you have consented to the disclosure

 

If we request for you to provide any additional information not described above, we will notify you at the time of collection why we are asking for it and how we will process it. We may also de-identify, anonymize, or aggregate personal data to use and share with third parties for any purpose, where legally permitted.

In addition to the above disclosures, we may share your personal data to respond to lawful requests by law enforcement or other government authorities, including to meet national security requirements, in accordance with our Government Data Request Policy.


3. How We Process Candidate Personal Data


We may process your personal data for the following purposes:

Purpose of Processing

Lawful Basis

For recruiting purposes, to determine your qualifications for employment, and to make hiring decisions. For instance, we may process your personal data when evaluating your candidacy and communicating with you about the hiring process. Where legally permissible to do so, we may contact you about SAS roles for which you may be a fit.

Legitimate interests; Consent

To send you communications about SAS job postings, careers fairs, newsletters, and related corporate communications.

Consent

To inform you about SAS recruitment events in which you choose to participate. For instance, career fairs or university/nonprofit recruitment events.

Legitimate interests; Consent

To provide accommodations during the recruitment process. For instance, to provide accommodations requested for physical or mental conditions during the recruitment process.

Legal obligations

For the purpose of equal opportunities monitoring, compliance with anti-discrimination laws, or government-reporting obligations.

Consent; Legal obligations

To establish, exercise, or defend against legal claims.

Legal claims; Legal obligations

To protect the safety, security, and integrity of our property (such as our databases and other technology assets); to protect the rights of those who interact with us or others; and to detect, prevent, and respond to security incidents or other malicious, deceptive, fraudulent, or illegal activity. For instance, this may involve collecting and processing special categories of personal data (e.g., health data) where necessary for reasons of public health or as required by applicable law.

Legitimate interests; Public interest; Legal claims; Vital interests; Legal obligations

To fulfill a referral request when you are referred for a role with SAS by a SAS employee using our referral process, as permissible, including by using the provided contact information to reach out to you.

Consent; Legitimate interests

To perform a contract to which you are a party or to take steps at your request prior to entering into a contract. For instance, to take steps prior to entering an employment contract with you.

Contract

To understand and improve our recruitment process. For instance, including efforts to promote diversity, equity, and inclusion, where legally permissible.

Legitimate interests; Consent

Where you have voluntarily agreed to have your personal data processed.

Consent

 

SAS will honor data subject rights to the extent required by law. You may have the right to access, correct, update, and, in some cases, request deletion of your personal data (subject to exceptions). You may submit a request here.


4. Sources of Candidate Personal Data


We may collect Candidate personal data from sources that include the following:

  • Information you provide to us directly. We collect the personal data you provide to us directly. For instance, when you create or submit a job application or provide personal data to us as part of the interview process.
  • Information collected from other individuals. We may collect personal data about you from other individuals. For instance, references during the application process, including your current or past employer, coworkers, or friends. We may also collect personal data about you if you are referred for a role at SAS by someone else, as permissible.
  • Information from public sources. We may collect personal data you submit in public forums, such as information made publicly available on a personal webpage, personal social media pages and job boards (where permitted).
  • Information from other third parties. We may collect information from external third parties, such as professional or sanctions registries, background information provided or confirmed by academic institutions and training or certification providers, and recruiting or executive search agencies.

We may combine information that we receive from the various sources described in this Notice and use or disclose it for the purposes described in this Notice.


5. Retention of Candidate Personal Data


Your personal data will be stored in accordance with applicable laws and kept as long as needed to carry out the purposes described in this Notice (or as otherwise required by applicable law). If you are successful with your job application, your personal data will be kept in accordance with our SAS Worker Data Privacy Statement. If you are unsuccessful with your job application, your personal data will be kept for the duration of the application process, plus a reasonable period of time after confirmation that your application was unsuccessful to allow us to record the reasons for our decision in relation to your application (including so that we can exercise, establish, or defend any legal claims). Where permissible, we may also retain your personal data for a reasonable period to consider you for other suitable openings within SAS in the future.

If you would like to opt-out from SAS’s policy of retaining your information for the purposes of considering you for other suitable openings, please email privacy@SAS.com.


6. Contact Information


If you have questions or complaints regarding this Notice, please contact us by email at privacy@SAS.com or at:

SAS Institute Inc.
Attn: Chief Privacy Officer
100 SAS Campus Drive
Cary, NC 27513
United States

You may also raise complaints with the statutory regulator in your jurisdiction. A list of contact details for the EEA data protection authorities is available here, for the Swiss authority – here, and the U.K. authority – here.


7. Modifications to This Notice


We may update this Notice from time-to-time to reflect changes in legal, regulatory, or operational requirements; our practices; and other factors. Please check this Notice periodically for updates. When required under applicable law, we will notify you of any changes to this Notice by posting a notice on this page prior to any changes taking effect (and updating the “Last Updated” date at the beginning of this Notice) or in another appropriate manner.


8. Supplemental Information for EEA, Swiss, and U.K. Candidates


The following terms supplement the Notice with respect to our processing of European Economic Area (i.e., European Union Member States, Iceland, Liechtenstein, and Norway), Swiss, and U.K. personal data. In the event of any conflict or inconsistency between the other parts of the Notice and the terms of this Section 8, Section 8 shall govern and prevail with regard to the processing of EEA, Swiss, and U.K. personal data.

  • Data Controller: The SAS entity with whom you are interacting is the controller of information collected within the scope of this Notice. In the majority of cases, this will be the local SAS entity, unless we specifically inform you otherwise. In the U.S., this will be SAS, Inc. On some occasions, more than one SAS entity may process your personal data as independent controllers. If you have any questions about controllership, please contact us using the contact information provided in Section 6.
  • Legal Basis for Processing: Please see Section 3 for the legal basis on which we rely for the collection, processing, and use of your personal data.
  • Your Data Subject Rights: You may have certain rights in relation to your personal data. We will honor these rights to the extent required by law.
  • Access: You may have the right to obtain confirmation from us if your personal data is being processed, and supplementary information; and the right to obtain a copy of your personal data undergoing the processing.
  • Rectification: You may have the right to request the rectification of inaccurate personal data and to have incomplete data completed.
  • Objection: You may have the right to object to the processing of your personal data if it has been processed under the legitimate interest or public interest legal basis. We shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms or if the data is needed for the establishment, exercise, or defense of legal claims.
  • Portability: You may have the right to receive your personal data that you have provided to us, in a structured, commonly-used and machine-readable format and have the right to transmit it to other data controllers without hindrance. This right only exists if the processing is based on your consent or a contract and the processing is carried out by automated means.
  • Restriction: You may have the right to request to restrict the processing of your personal data in certain cases.
  • Erasure: You may request to erase your personal data if (i) it is no longer necessary for the purposes for which we have collected it, (ii) you have withdrawn your consent and no other legal ground for the processing exists, (iii) you objected and no overriding legitimate grounds for the processing exist, or (iv) the processing is unlawful, or erasure is required to comply with a legal obligation.
  • Right to Lodge a Complaint: You also may have the right to lodge a complaint with a supervisory authority in the country where you reside. The contact details for data supervisory authorities in the EEA are available here, in Switzerland here, and the U.K. here.
  • Right to Refuse or Withdraw Consent: In case we ask for your consent to processing, you are free to refuse to give consent and you can withdraw your consent at any time without detriment by contacting us using the contact information provided above in Section 6, or, in case of direct marketing e-mail communications, by clicking on the unsubscribe link. The lawfulness of any processing of your personal data that occurred prior to the withdrawal of your consent will not be affected.
  • Automated decision-making: The types of automated decision-making referred to in Article 22(1) and (4) EU/U.K. General Data Protection Regulation (“GDPR”) do not take place in connection with your personal data. Should this change, we will inform you about why and how any such decision was made, the significance of it, and the possible consequences of it. You will also have the right to human intervention, to express your point of view, and to contest the decision.
  • Other Rights: Depending on the local law of the jurisdiction in which you are located, you may have additional rights in relation to your personal data.

If you would like to exercise any of your rights, please submit a request here. Please note that we may refuse to act on requests to exercise data protection rights in certain cases, such as when providing access might infringe on someone else’s privacy rights or impact our legal obligations.

International Transfers Outside of the EEA, U.K., and Switzerland: As a global organization headquartered in the United States, we have offices, affiliates, subsidiaries, and employees located around the world. Because of this, some recipients with whom we share personal data may be located in countries outside the EEA, Switzerland, or the U.K., and which do not provide an adequate level of protection as defined by data protection laws in the EEA, Switzerland, and the U.K. Certain third countries have been officially recognized by the EEA, Swiss, and U.K. authorities as providing an adequate level of protection and no further safeguards are necessary. The below information outlines how we protect your personal data when transferring it outside those countries.

  • Intra-group transfers: Intra-group international transfers will be to countries where SAS entities are located, including the United States. The transfer of your personal data outside the EEA, Switzerland, and the U.K. to SAS members located in third countries which do not offer an adequate level of protection in comparison with the EEA, Swiss, or U.K. privacy standards will be based on the following safeguards:
    • The EU Standard Contractual Clauses and/or the U.K. International Data Transfer Agreement/U.K. International Data Transfer Addendum, as applicable. We may also utilize addendums and other data transfer agreements specific to certain countries.
  • Third parties: Some of the third parties with whom we share personal data are also located outside the EEA, Switzerland, or the U.K. in third countries, which do not provide an adequate level of data protection as defined by data protection laws in the EEA, Switzerland, or the U.K. Transfers to third parties located in such third countries take place using an acceptable data transfer mechanism, such as the EU Standard Contractual Clauses and/or U.K. International Data Transfer Agreement/U.K. International Data Transfer Addendum, approved codes of conduct and certifications, on the basis of permissible statutory derogations, or any other valid data transfer mechanism issued by the EEA, Swiss, or U.K. authorities. Please reach out to us using the contact information in Section 6 for further information or, where available, a copy of the relevant data transfer mechanism.

9. Supplemental Information for California Candidates


Pursuant to the California Consumer Privacy Act (“CCPA”), this section applies to certain personal data collected about Candidates that are California residents and supplements the rest of our Notice above. This section does not apply to the following personal data:

  • Information about Candidates who are not California residents;
  • Information about SAS employees. Such information is subject to a separate Employee Privacy Notice that we make available to SAS employees; or
  • Information that SAS processes about you if you interact with our Digital Properties (defined above in Section 1) or otherwise interact with SAS as a user of our products or services.

a.  How We Disclose California Candidate Personal Data

Section 2 above contains a chart detailing the categories of Candidate personal data and to whom it was disclosed for a business purpose in the past 12 months. We have not sold or shared personal data of Candidates in the past 12 months. SAS only uses Sensitive Personal Information, as defined by California law, consistent with the exceptions to the right to limit Sensitive Personal Information.

b.  Your California Data Protection Rights

California Candidates may have certain rights, subject to legal limitations, concerning the collection, use, and disclosure of their personal data:

  • Right to Know. You have the right to request information about the categories of personal data we have collected about you, the categories of sources from which we collected the personal data, the purposes for collecting the personal data, and to whom we have disclosed personal data and why (“Categories Report”). You may also request the specific pieces of personal data we have collected about you (“Specific Pieces Report”).
  • Right to Delete. You have the right to request that we delete personal data that we have collected from you.
  • Right to Correct. You have the right to request that we correct inaccurate personal data that we maintain about you.

California Candidates may request to exercise the above rights by submitting a request through our webform. We will not discriminate against you for exercising your privacy rights. We will respond to all requests within 45 days, unless we need more time, in which case we will notify you and may take up to 90 days total to respond to your request.

Verification: In order to process requests, we will need to obtain information to locate you in our records or verify your identity, depending on the nature of the request. In most cases, we will request information about you, which may include your name, email address, or other information.
Authorized Agents: Authorized agents may request to exercise rights on behalf of California Candidates, but we reserve the right to also verify the Candidate’s identity directly as described above. Authorized agents must contact us by submitting a request through our webform and indicate that they are submitting the request as an authorized agent. Authorized agents must provide evidence of their identity and documentation evidencing proof of the authorized agent’s legal authority to act on the behalf of the individual California Candidate.