Personal data that we collect about you when you visit our site falls into several categories.

Information that you provide voluntarily

We collect personal data that you provide voluntarily through our site, for example, when completing online forms to contact us, subscribing to a newsletter, subscribing to receiving marketing communications from us, or completing contact request forms. The information we collect about you may include one or more of the following:

• Name;
• Job title, job level or job function, role;
• Education;
• Company or organization;
• Company data;
• Contact information, including primary email, email address and telephone numbers;
• Demographic information, such as industry, country, postcode, preference and interests;
• Information pertinent to fulfilling our services to you;
• Any other personal data that you voluntarily choose to provide to us.

We do not intentionally collect sensitive category data, unless you provide us with such data. While there may be free text boxes on the site where you are able to enter any information, we do not intend to process sensitive information. You are not required to provide, and should not disclose, sensitive personal information in the free test boxes. If you choose to provide any sensitive personal information in this manner, you acknowledge you consent to the collection and processing of this sensitive information.

If you submit a contact form on our site, your personal data will be stored in our CRM system. Data in our CRM is deleted after 7 years or sooner if required by law or notification from the data owner (you).

Information that we collect automatically

When you visit our site, we collect certain personal data automatically from your device. Specifically, the data we collect automatically include information, such as your IP address, device type, unique device identification number, browser type, operating system, broad geographic location (e.g., country or city-level location) and other technical information. We also collect information about how your device has interacted with our site, including the pages accessed, current URL, time you visited the site and links clicked. Collecting this information enables us to better understand the visitors who come to our site, where they come from and what content on our site is of interest to them.

We use this information for our internal analytics purposes, and to improve the quality and relevance of your site to our visitors. Information will be collected using cookies and similar tracing technology, as explained further in the McConnell & Jones LLP Online Privacy Policy.

Purposes for which we process your personal data as a visitor to our site are:

• To administer and manage our site;
• To personalize and enrich your browsing experience by displaying content (including targeted advertising) that is more likely relevant and of interest to you;
• To analyze the data visitors to our site and traffic information;
• To capture web metrics about the journey of users within our site;
• To determine the company, organization, institution or agency that you work for or with which you are otherwise associated;
• To develop our business and services;
• To provide you with marketing communications;
• To conduct benchmarking and data analysis (for example, regarding usage of our site and demographic analysis of visitors or our site);
• To understand how visitors use the features and functions of our site;
• To monitor and enforce compliance with applicable terms of use;
• To allow services to be delivered effectively to you;
• Any other purpose for which you provide information to MJ.

Legal grounds for processing personal data of visitors to our site are:

• Our legitimate interest in the effective delivery of information and services to you, and the effective and lawful operation of our business;
• Our legitimate interest in developing and improving our site and your user experience;
• Explicit consent of the visitor.

When you engage us to provide you with professional services, we collect and use personal data when we have a valid business reason to do so in connection with those services. For an overview of our services, click the “SERVICES” icon at the top of any page on our website.

In the context of providing services to clients, MJ also processes personal data of individuals who are not directly our clients (for example, employees, customers or suppliers of our clients). Se the section “Individuals whose personal data we obtain in connection with providing services to our clients” for additional information.

The majority of the personal data we collect and use to provide our services is supplied voluntarily by (or collected by us from third-party sources as the request of) our clients. Because of this, if you are a client of MJ, it will generally be obvious to you what personal data we collect and use. This information can include:

• Basic information, such as your name, the company you work for, you position and your relationship to a person;
• Contact information, such as your postal address, email address(es), and telephone number(s);
• Financial information, such as payment-related information;
• Any other personal data relating to you or other third parties which you provide to us for the purpose of receiving our services.

We use this information:

• To provide services to you;
• To administer our relationship and maintain contractual relations;
• For accounting and tax purposes;
• For marketing and business development;
• To comply with our legal and regulatory obligations;
• To establish, exercise or defend legal rights;
• For historical and statistical purposes.

Given the diversity of the services we provide, we process many categories of personal data. Please see below (non0exhaustive) examples of personal data categories for our three main service lines:

Audit & Assurance Services

In providing audit and assurance services, MJ will process information that contains personal data, such as payroll files, board records and other documents attributable to the audit client’s activities. Example of categories of personal data that are processed are:

• Contact details, such as, name, address, telephone number(s) and email address(es);
• Details of employment, such as employment number, employment department, role and employment time;
• Health and absent data, e.g., medical certificate and information on sick leave, leave of absence or parental leave;
• Trade union membership;
• Person identity number;
• Information on financial conditions, such as bank account information, salary details and other benefits, insurance data and the license plate of a company car;
• Information on insurance and occupational pensions;
• Other categories of personal data needed for conducting the audit in accordance with good auditor’s and auditing standards.

Tax & Accounting Services

Examples of personal data categories processed by MJ tax and accounting client engagement teams are:

• Personal details for the individual client and their family members, including names, addresses and demographic, contact information, dates of birth, and tax identifiers, including social security numbers and email addresses;
• Personal details for the individual client’s delegates, including names, contact information and email addresses;
• Tax return files: liability, dates produced and sent, and comments on tax returns;
• Tax equalization data: liability, dates produced, settlement amounts and taxes paid;
• Organizers used for collecting the individual taxpayer’s (and if required, their family members’) country-specific personal income tax information, education, employment, medical, legal history and other data that is required in rendering services;
• Workpapers used to edit client information received from organizers or other means; compensation data from employers; sourcing of income based on assignment and travel calendar data;
• Current, past or future travel information for the individual, including locations visited and workday activities that occurred in each location;
• Documents, such as tax returns, assignment letters, immigration documents, audit requests from taxing authorities, and official and personal documents (birth certificates, marriage licenses, education documentations and degrees, and passport copies);
• Financial reporting oversight role (FROR) questionnaires, indicating employment status, employer and job description;
• Company-specific information: corporate client personnel contacts and division names;
• Assignments data: details regarding current working and living arrangements, including country and city of assignment, employer division funding salary and assignment costs;
• Immigration data: work permit questionnaires, status of work permit, copy of application form, copy of work permit, copy of visa, copy of passport and other immigration documents.

Consulting Services

In providing consulting services, MJ processes a wide variety of information, including all types of personal data. The scope depends on the service and the sector in which the client is active. For example, providing cybersecurity services for a governmental entity involves the processing of different types of personal data than helping a client in the insurance sector improve their claims processes.

Examples of personal data categories received or processed by Consulting client engagement teams are:

• Contract details, such as name, address, telephone number(s) and email address(es);
• HR and supplier records of clients, which include personal details of employees or suppliers of the client, such as name, contact details, date of birth, race, government identification numbers, employment contracts and service contracts;
• Financial data, such as wage and salary information, pension and retirement benefits information, and bank account numbers;
• Health information about individuals;
• Personal data of employees;
• Customer data, including race or gender;

In addition, we also process identification and background information as part of our client acceptance, finance, administration and marketing processes, including audit independence, anti-money laundering, conflicts, reputational and financial checks, and to fulfill any other legal or regulatory requirement to which we are subject.

The checks include the following:

• Identity verification: proof of name and address;
• Ultimate beneficial ownership of corporate and other legal entities;
• Conflicts checks: to avoid conflict of interest with any other client;
• Anti-money laundering, proceeds of crime and terrorist financing checks;
• Politically exposed persons (PEP) checks: those with prominent roles in government, judiciary, courts, central banks, embassies, armed forces and state-owned enterprises, including their family members and close associates;
• Adverse media checks;
• Government sanctions list checks;
• Independence checks.

These checks are made for legal, regulatory or business reasons and need to be repeated during the course of our engagement. As part of these checks, we are required to process special category data (for example, to verify if you are a politically exposed person or to collect information about criminal conventions where this is required for anti-money laundering laws). It is important you provide us with all necessary information and documents as this affects our ability to provide services to you.

Legal grounds for processing personal data of our clients are:

• Performance of a contract or engagement;
• Compliance with a legal or regulatory obligation;
• Our legitimate interest in providing you with seamless, consistent, hig-quality servers and securing prompt payment of any fees, costs and debts in respect of our services;
• Our legitimate interest in understanding any conflict of interest or challenge with regard to independence legislation;
• Our legitimate interest in safeguarding MJ against inadvertently dealing with the proceeds of criminal activities or assisting in any other unlawful or fraudulent activities (for example, terrorism).

As part of the professional services MJ provides to clients, MJ processes personal data of individuals with whom we do not have a direct (contractual or other) relationship. For example, if we perform a statutory audit, our engagement team will be required to audit our client’s books, which could include payroll data for employees of the client, supplier data, financial administration, data regarding claimants and legal proceedings.

We seek confirmation from our clients that they have the authority to provide personal data to us in connection with the performance of the services and that any personal data they provide to us has been processed in accordance with applicable law.

Given the diversity of services we provide, we process many categories of personal data such as:

• Personal details (such as name, age, date of birth, gender, marital status and country);
• Contact details (such as phone number(s), email address(es) and postal address(es);
• Financial details (such as salary, payroll, income, investments, benefits and tax status);
• Employment details (such as role, rank, experience, performance data and employment numbers).

For certain services, we also process special category data. For example, in certain countries performing tax return services involves the processing of details or payments made by our client, his or her spouse and dependents with respect to a trade union membership, to a political party, for medical treatments or to a religious charity. Such data is collected intentionally and will be used only where necessary in connection with the provision of the service for which the data was collected, such as determining the correct taxation of our client’s income and for claiming the correct tax deduction with respect to such payments.

Legal grounds for processing personal data of individuals whose personal data we obtain in connection with providing services to our clients are:

• Compliance with a legal or regulatory obligation;
• Our legitimate interest in making sure our clients are provided with seamless, consistent and high quality-services.

We process personal data about contacts (former, existing and potential clients and individuals employed by, or associated with, such clients and other business contacts, such as alumni, consultants, and regulators) in our CRM system. The CRM system supports the marketing operation of MJ. Contacts in our CRM system will be sent newsletters, marketing materials, surverys and/or invitations to events. Contacts in our CRM system can opt out of communications by clicking the unsubscribe link a the bottom of all messages or contacting the MJ data protection team.

In our CRM system, we process the following categories of personal data:

• Name, Job title, address(es), phone and fax number(s);
• Name of employer or organization the individual is associated with.

We do not intentionally collect sensitive category data, unless you provide us with such data.

Legal grounds for processing personal data of business contacts are:

• Explicit consent of the business contact;
• Our legitimate interest in managing the relationship with our business contacts and providing information about McConnell Jones and our services.

Social Media Sites

McConnell Jones uses various social media platforms, for example, for recruitment or marketing purposes. We use social media to provide you with easy access to relevant information regarding job opportunities at MJ and events we organize or participate in, and to promote our services and brand.

While MJ will be responsible for the content it publishes using social media platforms, MJ will not be responsible for managing the social media platforms (such as creating user statistics or placing cookies). When using these social media platforms, you are obligated to adhere to the legal and privacy terms imposed by the social media platform providers. Such providers collect data about you, including statistical and analytical data regarding your use of the social media platforms, such as an overview of pages you have accessed, “likes”, recent visits, posts you publish or find interesting. If you require access to such data or want to invoke one of your rights (such as the right to object to the processing of your data), you should contact the social media platform provider. Some social media providers provide MJ with aggregate data relevant for our pages, such as the amount of “likes” triggered by our content or the number of posts, visitors to our sites, photos that are downloaded or links that are clicked.

Social media plugins (such as like and share buttons)

On our site, we implement so-called social media plugins. When you visit a page that displays one or more of such buttons, your browser will establish a direct connection to the relevant social network server and load the button from there. At the same time, the social media provider will know that the respective page on our site has been visited. We have no influence on the data the social media providers collect on the basis of the buttons. If you wish to prevent this, please log out of your social media accounts before visiting our website. Social media providers set cookies as well, unless you have disabled the acceptance and storage of cookies in your browser settings.

LinkedIn plugin

Our website uses the LinkedIn button plugin to enhance user experience by enabling visitors to share content, follow our LinkedIn page, or view LinkedIn profiles directly from our site. When you interact with the LinkedIn button, LinkedIn may collect certain information about your visit, including your IP address, browser type, and the pages you visit. This data is used by LinkedIn to provide personalized content and advertisements.

For more details on how LinkedIn handles your data, please refer to LinkedIn’s Privacy Policy.

Instagram plugin

Our site contains functions of the Instagram service.

If you are logged into your Instagram account, you can click the Instagram button to link the content of our pages with your Instagram profile. This means that Instagram can associate visits to our pages with your user account. If you are not yet logged into your Instagram account, clicking an Instagram button will show you the Instagram login page for you to enter your login credentials. We expressly point out that we receive no information on the content of the transmitted data or its use by Instagram.

For more information, see Instagram’s privacy policy.

Legal grounds for processing personal data of visitors to our social media pages and the use of social media plugins are:

• Our legitimate interest in promoting MJ services and brand;
• Our legitimate interest in attracting, identifying and sourcing talent;
• Our legitimate interest to improve your website experience and to optimize our services.

McConnell Jones uses a variety of tools to maintain the security of our IT infrastructure, including our email facilities. Examples of such tools are:

• Systems that scan incoming emails to MJ recipients for suspicious attachments and URLs, in order to prevent attacks;
• Tools that provide endpoint threat detection to detect malicious attacks;
• Tools that block certain content or websites.

If you correspond via email with an MJ recipient, your emails will be scanned by the tools. MJ operates to maintain the security of its IT infrastructure, which could result in content being read by authorized MJ personnel other than the intended recipient.

Legal grounds for processing personal data of individuals who correspond with MJ via email:

• Our legitimate interest in protecting our IT infrastructure against unauthorized access or data leakage;
• Our legitimate interest in analyzing email traffic.

MJ’s phone service is provided by Microsoft. When you call MJ personnel, your phone number and potentially your name (dependent on caller ID provided by the telephone utility) may be stored on Microsoft server and will be delivered to the recipient of your call. No other personally identifiable information is collected but technical logs and reports may be stored for trouble shooting purposes.

MJ’s voice mail service is provided by Microsoft. When you call MJ personnel and leave a voicemail, this voicemail and any personal data contained within it will be stored on global Microsoft Azure servers and will be delivered to the recipient of your call as an MP3 voice clip in an email. Microsoft will not keep call logs in relation to your calls to MJ personnel.

More information on Microsoft’s Privacy Policy can be found here.

Legal grounds for processing personal data of individuals who correspond with MJ via phone and voicemail services:

• Our legitimate interest in maintaining communication networks.

We collect information from and about candidates in connection with available employment opportunities at MJ. The information that we collect, the manner in which it is used, and the time in which it is gathered varies depending on the country in which you apply. As a general matter, the data we collect regarding our job applicants includes resumes or CVs, identification documents, academic records, work history, employment information and references.

We use your personal data to match your skills, experience and education with specific roles offered by MJ. This information is shared with the relevant hiring manager(s) and person(s) involved in the recruitment process to decide whether to invite you for an interview. MJ will collect further information if you are invited to the interview (or equivalent) stage and onward. Such information includes interview notes, assessment results, feedback and offer details.

In connection with our recruitment activities, including applications and onboarding, we also collect special category data from candidates where we have an employment law obligation to do so. This information is relevant to their future working environment at MJ or the future provision of employment benefits, or with the individual’s explicit consent, where collecting such information is permitted by law. For example, where allowed under applicable law, we will collect information about an individual’s disabilities in order to analyze the diversity of our workforce. Once onboarded, an individual’s provision of information regarding disabilities will also be used to provide a suitable working environment. We will also need to conduct criminal background checks for certain candidates to assess their eligibility to work at MJ or for MJ clients. In certain countries, we will also ask candidates to provide diversity information about their race and ethnicity, and sexual orientation for diversity monitoring purposes, although the provision of this information will be entirely voluntary. However, where a candidate does not voluntarily provide such information, we could be required by law to make our own assessment of such criteria.

Our recruitment tools and websites contain their own privacy notices explaining why and how personal data is collected and processed by those applications. We encourage individuals using our recruitment tools and websites to refer to the privacy notices available on those tools and websites.

Depending on the country in which you apply, MJ collects personal data about candidates (you”) from the following sources:

• Directly from you – for example, information that you have provided when applying for a position directly through the MJ careers website (for additional information about the processing of your personal data via our global recruitment management system, please read the data privacy statement available in this system);
• From recruitment agencies – for example, when a recruitment agency with your details contacts us to suggest you as a potential candidate;
• Through publicly available sources online – for example, where you have a professional profile posted online (e.g., on your current employer’s website or on a professional networking site, such as LinkedIn);
• By reference – for example, through a reference from a former employee or employer, or from a referee you have identified;
• Results of background screening checks.

Legal grounds for processing personal data of our job applicants are:

• Explicit consent of the candidate;
• Our legitimate interest in attracting, identifying and sourcing talent;
• Our legitimate interest to process and manage applications for roles at MJ, including the screening and selecting of candidates;
• Our legitimate interest to hire and onboard candidates by making an offer to successful candidates, and carrying out pre-employment screening checks;
• Our legitimate interest to manage our career websites (including conducting statistical analyses);
• Compliance with a legal or regulatory obligation (when carrying out background checks to warrant a candidate is eligible to work).

We process personal data about our suppliers (including subcontractors, and individuals associated with our suppliers and contractors) in order to manage our relationship and contract, and to receive services from our suppliers.

The personal data we process is generally limited to contact information (name, name of employer, phone, email and other contact details) and financial information (payment-related information).

In addition, we also use data about our suppliers to check whether we have a conflict of interest or audit independence restriction to appointing a supplier. Before we take on a new supplier, we also carry out audit independence and other background checks required by law or regulation, for example, adverse media, bribery and corruption, and other financial crime checks.

Legal grounds for processing personal data of our suppliers are:

• Performance of a contract;
• Compliance with a legal or regulatory obligation;
• Our legitimate interest in managing payments, fees and charges, and collecting and recovering money owed to MJ;
• Our legitimate interest in understanding any conflict of interest or challenge with regard to independence legislation;
• Our legitimate interest in safeguarding against MJ inadvertently dealing with the proceeds of criminal activities or assisting in any other unlawful or fraudulent activities (for example, terrorism).

When you visit an MJ office, we process your personal data in order to provide you with certain facilities (such as access to our buildings and conference rooms or Wi-Fi), to control access to our buildings, and to protect our offices, personnel, goods and confidential information (for example, by using CCTV).

The personal data we collect is generally limited to your name, contact information, location, and the time you enter and leave our office.

Visitor records
We require visitors to our offices to sign in at reception and we keep that record of visitors for a short period of time. Our visitor records will be used to verify personnel in the office, to look into a security incident and for emergency purposes (for example, if an office needs to be evacuated).

Wi-Fi
We monitor and log traffic on our Wi-Fi networks. This allows us to see limited information about a user’s network behavior but will also include being able to see at least the source and destination addresses the user is connecting from and to.

CCTV
MJ uses CCTV monitoring where permitted by law. CCTV images are securely stored and only accessible on a need-to-know basis (for example, to look into an incident). We are allowed to disclose CCTV images to law enforcement bodies. We will also share CCTV images with our insurers for purposes of processing an insurance claim as a result of an incident. CCTV recordings are typically deleted or automatically overwritten after a short period of time unless an issue is identified that requires further investigation.

Legal grounds for processing personal data of visitors to MJ offices are:

• Our legitimate interest in protecting our offices, personnel, goods and confidential information
• Our legitimate interest in preventing and detecting crime, and establishing, exercising and defending legal claims