Candidate Privacy Notice

What does this notice do?

Cazoo is a “controller” of your personal data. This means that we’re responsible for deciding how we collect, hold and use your personal data.

This notice is for those applying for work with us (whether as an employee, worker or contractor). It makes you aware of how and why we’ll use your personal data and how long we’ll usually keep it for. It provides you with information we’re required to tell you under data protection law.

Data protection principles

We will comply with data protection law. This means that the personal data we hold about you must be:

  • used lawfully, fairly and in a transparent way;

  • collected only for valid purposes that we have explained to you and then not used in any way that is incompatible with those purposes;

  • relevant to the purposes that we have explained to you;

  • accurate and kept up to date;

  • kept only for so long as is necessary for the purposes that we have explained to you; and

  • kept securely.

The personal data we hold about you

In connection with your application to work with us, we’ll collect, store and use the following categories of personal data about you:

  • the information you sent us in your CV and covering letter;

  • the information you provided in our application form, including your name, title, address, phone number, email address, date of birth, gender, employment history and qualifications;

  • any information you gave to us at interview; and

  • a copy of and results from any written assessment you carry out.

We might also collect, store and use the following types of more sensitive personal data:

  • information about your race or ethnicity, religious beliefs, seuxal orientation and political opinions;

  • information about your health, including any medical condition, health and sickness records; and

  • information about criminal convictions and offences.

How do we collect your personal data?

We collect personal data about candidates from the following sources:

  • candidates themselves;

  • recruitment agencies;

  • our background check provider, HireRight;

  • the Disclosure and Barring Service in relation to criminal convictions;

  • any referees you provide; and

  • from publicly accessible sources like LinkedIn and other social media sites.

How does Cazoo use your personal data?

We’ll use your personal data to:

  • assess your skills, qualifications and suitability for the role;

  • carry out background and reference checks, where applicable;

  • communicate with you about the recruitment process;

  • keep records relating to our hiring process; and

  • comply with legal and regulatory requirements.

It is in our legitimate interest to decide whether to appoint you to a role at Cazoo because it would be beneficial to our business to appoint someone to that role.

We also need to process your personal data to decide whether to enter into a contract with you.

After we receive your application and the results of any written assessment, we’ll then process that information to decide if you meet the basic requirements to be shortlisted for the role. If you do, we’ll decide whether your application is strong enough to invite you for an interview. If we decide to invite you for an interview, we’ll use the information you provide to us at the interview to decide whether to offer you the role. If we decide to offer you the role, we will then take up references and carry out a background check (including a criminal record check, if applicable) before confirming your appointment.

If you fail to provide personal data when requested and that personal data is necessary for us to consider your application (for example, evidence of qualifications or work history) we will not be able to process your application successfully. For example, if we require references for a role and you fail to provide them, we will not be able to take your application further.

How we use particularly sensitive personal data

We will use your particularly sensitive personal data in the following ways:

  • We’ll use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process.

  • We’ll use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.


Information about criminal convictions

We envisage that we’ll process information about criminal convictions.

We’ll collect information about your criminal convictions history if we would like to offer you the role (conditional on checks and any other conditions, such as references, being satisfactory). We are entitled to carry out a criminal records check to satisfy ourselves that there is nothing in your criminal convictions history which makes you unsuitable for the role. In particular:

  • for some roles, we are legally required by the Financial Conduct Authority to carry out criminal record checks;

  • some roles (for example, in our legal or finance teams) are listed on the Rehabilitation of Offenders Act 1974 (Exceptions) Order (SI 1975/1023) and so are eligible for an enhanced check from the Disclosure and Barring Service; and

  • some roles (particularly customer-facing roles and those which involve handling money or systems which interact with customer data or payments) require a high degree of trust and integrity, and so we would like to ask you to seek a basic disclosure of your criminal records history.

We have in place an appropriate policy document and safeguards which we are required by law to maintain when processing personal data of this nature.

Automated decision-making

You won’t be subject to decisions that will have a significant impact on you based solely on automated decision-making.

Data sharing

We’ll only share your personal data with the following third parties for the purpose of processing your application:

  • recruitment agencies, where applicable;

  • other companies in the Cazoo group and our investors; and

  • our third party service providers, including:

  • Google (which provides our business systems like email and file storage);

  • Greenhouse (which is our applicant tracking system);

  • HireRight (which is our background check provider); and

  • DocuSign (which is our e-signature tool for our contracts).

We don’t allow third party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to access it. They will only process your personal data on our instructions and they are subject to binding duties of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will tell you and any applicable supervisory authority about a personal data breach if the law requires us to do so.


Data retention

We will retain your personal data for 12 months after we have told you whether we’ve decided to appoint you to the role you applied for. We retain your personal data during that period so that we can show, in the event of a legal claim, that we have not discriminated against you on prohibited grounds and that we have conducted the recruitment process in a fair and transparent way. After this period, we’ll securely destroy your personal data in accordance with applicable law.

If we wish to retain your personal data on file in case another suitable opportunity arises in future, we’ll ask for your consent to do this for a fixed time period on that basis.

Rights of access, correction, erasure and restriction

Under certain circumstances, by law you have the right to:

  • request access to your personal data (sometimes called a “data subject access request”) - this enables you to receive a copy of the personal data we hold about you and to check that we’re lawfully processing it;

  • request correction of the personal data we hold about you - this enables you to have any incomplete or inaccurate information we hold about you corrected;

  • request erasure of your personal data - this enables you to ask us delete personal data where we no longer have a good reason for continuing to process it, and you can also ask us to delete your personal data where you’ve exercised your right to object (see below);

  • object to processing of your personal data where we’re relying on a legitimate interest and there is something about your situation that makes you want to object to processing;

  • request the restriction of processing of your personal data - this enables you to ask us to suspend processing your personal data, for example if you want us to establish its accuracy or the reason for processing it; and

  • request the transfer of your personal data to someone else.

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to someone else, please contact the Cazoo talent team in writing.

Data Protection Officer

We have appointed a Data Protection Officer at Cazoo to oversee compliance with this privacy notice.

Our Data Protection Officer is currently Michael Haynes, our Head of Legal. If you have any questions about this privacy notice or how we handle your personal data, please contact him via the Cazoo talent team.

You have the right to complain at any time to the Information Commissioner’s Office (or “ICO”), the UK’s supervisory authority for data protection issues.