Applicant Privacy Policy and Notice at Collection

Updated: December 21, 2022

The Macerich Company ("Macerich" or the "Company") is committed to protecting and respecting the privacy of its prospective employees. Please read this Internal Privacy Policy and Notice at Collection (this "Policy") carefully to understand the Company’s views and practices regarding Personal Information and how the Company will treat it. 

1. Definitions

The following definitions apply to this Policy:

• “CCPA” means the California Consumer Privacy Act, as amended.
• “Consumer” means a living individual about whom the Company holds Personal Information.
• "Contractor" means a natural person who provides any service to a business pursuant to a  written contract. 
• "Covered Person" refers to:
  
  • current and former employees (including permanent, temporary and part time employees);
  • job applicants and other prospective employees;
  • owners, directors, officers, medical staff members, or contractors of the Company about whom the Company collects and processes Personal Information;
  • dependents and beneficiaries of current and former employees owners, directors, and officers about whom the Company collects and processes Personal Information.
• "Director" means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors. 
• “Electronic” means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
• “Encrypted” means the transformation of data through an algorithmic process or an alternative method that is at least as secure, so that the data can only be accessed with confidential key or password.
• "Officer" means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer. 
• "Owner" means a natural person who meets one of the following: 
  
  • Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business. 
  • Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions. 
  • Has the power to exercise a controlling influence over the management of a company. 
• “Personal Information” means information (whether stored Electronically or in physical filing systems) relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal Information can be factual (such as a name, address, date of birth, social security number or driver's license number), Sensitive Personal Information as described below, or it can be an opinion (such as a performance appraisal). It can even include a simple e-mail address. The categories of Personal Information as defined by the California Consumer Privacy Act of 2018 (“CCPA”) that pertain to this Policy include: 
  • Identifiers: Name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
  • Other Data¹: Financial information, medical information, health insurance information, signature, physical characteristics or description, telephone number, geolocation
  • Protected Classes: Race, color, sex, age (40 and older), religion, national origin, citizenship status, genetic information, sexual orientation, gender identity or gender expression, ancestry, AIDS/HIV, disability, marital status, familial status, military or veteran status, political affiliations or activities, status as victim of domestic violence, assault, stalking, or any other classification protected under California or federal law
  • Biometric Information: Fingerprints, retina scans, face prints, DNA
  • Internet Activity: Browsing history, search history, website interactions
  • Geolocation Data: Data which allows for determining, with reasonable precision, the location of any person or object
  • Sensory Data: Audio, electronic, visual, thermal, olfactory, or similar
  • Professional Data: CV, resume, employment history, licenses, certificates
  • Education Data: Educational background, grades, scores
  • Inferences: Profiles about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities drawn from other Personal Information

• “Processing”, "Process" or “Processed” is any activity that involves use of the Personal Information. It includes obtaining, recording or holding the Personal Information, or organizing, amending, retrieving, using, disclosing, erasing or destroying it including by automated means. Processing also includes transferring Personal Information to third parties.
• “Prospective Employee” is an individual who has been offered a position or prospective applicants with the Company, contingent upon the satisfactory completion of certain actions, which can include (where legally permissible) pre-employment drug screens, driving records and criminal background checks.
• "Sensitive Personal Information" is Personal Information that reveals one or more of the following types of information about a person: Social Security, driver’s license, state identification card or passport number; account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; genetic data; biometric information; health information; information about sex life or sexual orientation. This Sensitive Personal Information will be handled with extra care as further described in this Policy.  Sensitive Personal Information includes financial account information, protected health or medical details, physical or mental health or condition, or about the commission of, or proceedings for, any offence committed or alleged to have been committed by that living individual, the disposal of such proceedings or the sentence of any court in such proceedings.

2. Purpose and Scope of this Policy

This Policy sets out the basis on which any Personal Information the Company collects from you, or you provide to the Company, will be Processed by the Company. This Policy aims to safeguard Personal Information in any format, in particular to: 

• ensure the security and confidentiality of Personal Information in a manner consistent with industry and legal standards;
• protect against threats or hazards to the security or integrity of Personal Information; and 
• protect against unauthorized access to or use of Personal Information that creates a substantial risk of identity theft or fraud.

This Policy applies to all Personal Information that exists in any of the Company’s Processing environments, on any media, at all times, relating to the Company’s Covered Persons.

As an employer, the Company needs to collect, store and Process Personal Information about its Prospective Employees.  Personal Information may be provided to the Company by a variety of means, including through the Internet, by email, by telephone, by fax or in person. Personal Information, which may be held on physical or Electronic media, is subject to certain legal safeguards that impose restrictions on how the Company may Process Personal Information.  The Company strives to uphold these key principles when Processing Personal Information:  

2.1 Openness: Provide information to Prospective Employees about how we Process their Personal Information, including not doing anything with their Personal Information that they would not expect or that we would be embarrassed for them to know about.

2.2 Purpose Limitation: Only collect Personal Information for a specific business need of the Company, and only use the Personal Information for that specific purpose for as long as necessary. 

2.3 Accuracy: Keep Personal Information accurate, complete and up-to-date; anyone whose Personal Information we Process has the right to obtain a copy of that Personal Information and to correct any inaccuracies.

2.4 Security: Protect Personal Information with appropriate security measures from being lost or stolen, and to prevent to the extent possible accidental or unauthorized access, damage, loss or disclosure.

3. What Personal Information Does the Company Collect from Prospective Employees and How Does the Company Use Personal Information?  

3.1 The Company may collect and Process the following Personal Information about Prospective Employees for the following purposes:

• For the purpose of performing human resource functions and employment eligibility verification, the Company may request: name, address, date of birth, social security numbers, driver's license number, passport number, Visa status (where lawful and required), employment eligibility verification, criminal records, and, where necessary, motor vehicle records, state identification card numbers, education and employment history, certificates and licensures, and resume/CV. 
• For the purpose of determining whether an applicant can carry out the essential job duties of their position and determination of hiring an applicant, the Company may collect information from a Prospective Employee’s former employer(s) relating to a Prospective Employee’s job performance; background details relating to an applicant’s record checks or credit checks (when permitted by law and related to the applicant’s position); confirmation of degrees, professional licensees, and certifications; information about criminal convictions and Sensitive Personal Information, in accordance with applicable local or national laws and regulations; insurance confirmation (where such information is required for the performance of the position's essential job duties), and medical information related to physical restrictions (as required for the performance of the position's essential job duties).

The Company may collect Personal Information as needed to comply with applicable laws and regulations.  Although the Company is permitted under relevant laws to undertake a range of human resources-related Processing, by submitting Personal Information to the Company you confirm your consent to your Personal Information being Processed as set forth in this Policy.  
Prospective Employees will be told in advance how and which aspects of their Personal Information will be verified and if any vetting will take place, and will be informed which, if any, external agencies are used. 

Prospective Employees will be given the opportunity to explain any discrepancies that emerge as a result of any verification or any information uncovered by vetting that might negatively affect their application.  Moreover, any vetting will also: (i) be restricted to roles where it is genuinely necessary; (ii) not involve approaches to colleagues or the family of individuals, except in exceptional circumstances; and (iii) be targeted at the collection of specific and not general information.  All information collected will be in compliance with all applicable laws. 

If a Prospective Employee engages with Macerich outside of the context as an employee, officer, or director, information collected in that relationship will be subject to Macerich’s Consumer Privacy Policy available at https://www.macerich.com/PrivacyCenter.

4. How Does the Company Use Personal Information?

As set forth in more detail above, the Company uses Personal Information in the following ways:

• To comply with applicable laws and regulations.

• To carry out Processing with your consent or as a result of contractual necessity.

• To carry out its obligations arising from contracts entered into between Prospective Employees and the Company.

Although the Company is permitted under relevant laws to undertake a range of human resources related Processing, by submitting Personal Information to the Company you confirm your consent to your Personal Information being Processed as set forth in this Policy.   

5. The Company’s Responsibility For Your Personal Information – Security Procedures

The Company will strive to protect your Personal Information through the following methods:

• The Company has security procedures in place so that Personal Information the Company holds is kept secure and in accordance with this Policy.  This includes conducting periodic testing and monitoring of the Company’s systems and security measures and processes, maintaining an audit plan, training and testing Covered Persons on the Company's data security protocols, and monitoring compliance with this Policy.
  
  The Company maintains security measures and technology to prevent Personal Information  from being inadvertently disclosed to any unauthorized third party either orally, in writing, via the internet, or by any other means, accidentally or otherwise. This includes, without limitation, monitoring the Company’s systems for unauthorized access; employing firewall protection and system security patches; and employing virus and malware protection.
• The Company ensures laptops, backup tapes, and other portable devices containing Personal Information are password protected and all Personal Information is encrypted as appropriate.  
• The Company uses physical, administrative, and technical procedures to limit access to Personal Information as described in this Policy.

The Company has the ability to remotely destroy Personal Information on company laptops and certain mobile devices that are lost or stolen.

6. Your Consent To Processing Sensitive Personal Information

You acknowledge that sometimes it is necessary to Process Sensitive Personal Information as described in Section 3 above.  When we Process Sensitive Personal Information we will only do so when necessary, while employing measures that minimize the risks to the Prospective Employee and otherwise as further provided for in this Policy.  The Company does not collect or process Sensitive Personal Information for the purpose of inferring characteristics about a Prospective Employee.

Notwithstanding the fact that the Company has the right to Process Sensitive Personal Information in certain circumstances under relevant laws, you give your express consent to the Company Processing such Sensitive Personal Information for such necessary purposes.  

7. Disclosure and Transfer of Personal Information

7.1 Security of Personal Information during transfer 

Where Personal Information is transferred within the Company’s organization in the course of performing its duties, the level of security appropriate to the type of Personal Information and anticipated risks will be applied.  For example, if transferred by e-mail, Personal Information may be encrypted with the password supplied separately where it is appropriate and necessary.  The Company also employs recognized technology or private networks to protect Personal Information transferred over the Internet where the Company believes it is appropriate and necessary.

7.2 Disclosures to third parties 

By providing Personal Information to the Company you agree that the Company may share certain information with third parties and by submitting Personal Information to the Company you agree to this transfer and Processing.  

Personal Information will only be transferred to a third-party if that third party agrees to comply with procedures and policies which are compliant with this Policy and the Company’s procedures regarding data protection, or if that third party puts in place adequate measures which are compliant with all applicable laws and regulations.
Personal Information will only be shared with third parties in limited circumstances, including:

• As necessary to any subsidiary, our ultimate holding company, and/or its subsidiaries with such group companies following procedures and policies that comply with this Policy.
• If the Company sells or buys any business or assets or merges with or is acquired by another company, in which case the Company may disclose your Personal Information to the prospective seller or buyer of such business or assets.
• If the Company is under a duty to disclose or share your Personal Information in order to comply with any legal obligation. 
• With third party companies who conduct background checks including credit history and background, criminal background, civil court case history, employment background, and other similar purposes.  The third parties with whom this information is shared will use it only for the purposes of conducting the background check as specified by the Company.  

8. Restrictions On Access To Personal Information

The Company employs physical, administrative and technological means to restrict access to Personal Information including:

• Only those who have appropriate authority or are reasonably required to know or use Personal Information will have access to Personal Information, and only to the extent necessary for legitimate business purposes. This authority may be revoked at any time and for any or no reason.
• Physical records containing Personal Information (e.g., paper records and storage media) are required to be kept in restricted and secure areas.  Access to these records is limited to authorized personnel only to the extent necessary for legitimate business purposes.
• Physical or Electronic access is terminated for Covered Persons whose employment is terminated or whose authorization is revoked.  Terminated and unauthorized Covered Persons are required to return all equipment and are not permitted to maintain any copies or reproductions of Personal Information.
• The Company endeavors to disclose Personal Information only to the extent reasonably necessary.  The Company masks Sensitive Personal Information and other details such as Social Security Numbers and financial account numbers, as applicable.
• The Company does not permit direct public access between external networks and any system component that stores Personal Information.  The Company uses a DMZ to filter and screen inbound and outbound Internet traffic.

9.Retention and Disposal of Personal Information

9.1 Retention of Personal Information  

• The Company will only retain your Personal Information, or portions of your Personal Information for as long as is necessary to perform its obligations to you or as is required by law.  The Company has a legal duty to retain employment records that may include a Prospective Employee’s Personal Information even if the applicant does not become an employee of the Company.  There are varying requirements as to how long an employer must maintain employment records depending on the type of record being maintained.  Accordingly, different categories of Personal Information may be kept for different periods of time in compliance with the law.
  
  All Personal Information you provide will be stored on secure servers or in secure files which may be based in the United States. By submitting your Personal Information, you fully consent to this transfer, storing and Processing. The Company will take reasonable steps to treat your data securely and in accordance with this Policy.

9.2 Destruction of Personal Information 

When the Company is no longer required to maintain or utilize some or all of your Personal Information the Company will destroy that Personal Information.  Such destruction shall be carried out in a secure and permanent way, regardless of the format in which the Personal Information is stored (e.g., paper, Electronic, etc.).

When a record containing Personal Information is to be disposed of, the following procedures will be followed by the Company:

• All paper documentation containing Personal Information will be permanently destroyed by shredding.
• All computer equipment or media that are to be sold or scrapped will have had all Personal Information completely destroyed, for example, by reformatting, over-writing, deleting, degaussing, or physical destruction of the storage media.

10. California Privacy Rights

The following disclosures and the rights described below, are applicable to Covered Persons who are residents of California.  

Information the Company Collects

Descriptions of the categories of information the Company collects, the sources of the information, and the uses of that information are contained in Section 2 and Section 3 above. 

Your Rights Under the California Consumer Privacy Act

Under the California Consumer Privacy Act, Prospective Employees located in California have certain rights regarding their Personal Information, including the following:

RIGHT TO ACCESS.  You have the right to access Personal Information which we may collect or retain about you. If requested, we will provide you with a copy of your Personal Information which we collect as permitted by the CCPA.  You also have the right to receive your Personal Information in a structured and commonly used format so that it can be transferred to another entity (“data portability”).

RIGHT TO KNOW.  You have the right to request that we disclose the following about your Personal Information, as defined by the CCPA:

• The specific Personal Information we may collect;
• The categories of Personal Information we may collect;
• The categories of sources from which we may collect your Personal Information;
• The business purpose(s) for collecting or sharing your Personal Information;
• The categories of Personal Information we may disclose for business purposes; and

The categories of third parties to whom we may share your Personal Information.

RIGHT TO OPT-OUT / DO NOT SELL MY PERSONAL INFORMATION. Macerich does not sell Personal Information within the meaning of the CCPA.

RIGHT TO OPT-OUT/DO NOT SHARE OR DISCLOSE MY PERSONAL OR SENSITIVE PERSONAL INFORMATION.  You have the right to limit how your Personal Information and Sensitive Personal Information is disclosed or shared with third parties, as defined in the CCPA.

RIGHT TO DELETION.  In certain circumstances, you have the right to request the deletion of your Personal Information. Upon verifying the validity of a deletion request and when required by law, we will delete your Personal Information from our records, and instruct any service providers or third parties to delete your Personal Information.

RIGHT TO CORRECT/RIGHT TO RECTIFICATION.  In certain circumstances, you have the right to request correction of any inaccurate Personal Information. Upon verifying the validity of a verifiable correction request, we will use commercially reasonable efforts to correct your Personal Information as directed, taking into account the nature of the Personal Information and the purposes of maintaining your Personal Information.

Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply.

Exercising your Rights

• Making a Request : You  may submit an individual rights request through any of the following means: (1) online by completing the Individual Rights Data Access and Deletion Request Form located here, (2) leaving a voicemail at 1-866-686-3246  , (3) emailing Macerich at privacy@macerich.com with the completed downloaded Individual Rights Data Access and Deletion Request Form, or (4) submitting the Individual Rights Data Access and Deletion Request Form to c/o The Macerich Company, 401 Wilshire Blvd., Suite 700, Santa Monica, CA 90401, Attn: Privacy Office.  Macerich shall maintain records of requests for at least 24 months. 
  
  
• Verifiable Request : Before Macerich can process a request to delete or provide a copy of your data, Macerich will verify the identity of the individual requesting rights to data collected about them.  To verify your identity Macerich will rely upon information we have previously collected about you, such as known phone number or email address.  
  
  
• Authorized Agent: You may designate an authorized agent to exercise rights on your behalf.  If you utilize an authorized agent, the following proof that the agent has been authorized to act on your behalf must be provided:
  
  • Proof of written permission by the Covered Person for the authorized agent to act on his or her behalf and separate verification of the Covered Person; or
  • Proof that the authorized agent holds a power of attorney to act on the Covered Person’s behalf pursuant to Cal. Probate Code §§ 4000-4465.  
    
    
• Macerich Time to Respond: Macerich will acknowledge a request within 10 days of receipt of a request. A verified request will generally be fulfilled within 45 days of receipt of any such request. If necessary, the Company may take an additional 45 days to respond to the request, for a maximum total of 90 days, in which case the Company will notify you of the delay an explanation of the reason the Company will take more than 45 days to respond.  The Company shall inform you whether it has complied, in whole or part, with the request or the basis for denial.  

11. Enforcement Of This Policy

Prospective Employees should direct any questions or concerns about the interpretation or operation of this Policy or about what may or may not be done with regard to Personal Information to the Vice President of Human Resources.

Any Covered Person found to have violated this Policy is subject to disciplinary action, up to and including termination of employment for employees.  Any Covered Person having questions or concerns about this Policy or their Personal Information should contact, in the first instance the Vice President of Human Resources, the Privacy Office or the Legal Department if necessary.

Discrimination and retaliation against any Covered Person for exercising their CCPA data rights under this policy and law is strictly prohibited.  

12. Changes In This Policy

This Policy is updated and effective as of the date shown on the title page.  The Company shall review this Policy and the particular security measures whenever there is a material change in business practices that may reasonably impact on the security or integrity of records containing Personal Information or as required by applicable law.