Job Applicant Data Protection Notice

The aim of this Data Protection Notice (“Notice”) is to inform individuals who apply for a job or work experience at Varicent UK OpCo Limited, registered in England and Wales under company number 12321098with registered office at Suite 1, 3rd Floor 11 - 12 St. James's Square, London, United Kingdom, SW1Y 4LB(the “Company” or “we” or “us”), on the collection, use, disclosure, transfer, and other processing of their individually identifiable information (“Personal Data”). Under applicable European laws, including but not limited to, laws implementing the General Data Protection Regulation 2016/679 (GDPR) and the UK Data Protection Act 2018 (the “Data Privacy Laws”), the Company is the data controller.

1. Personal Data

Throughout the course of your application process with the Company, we collect and process certain Personal Data about you. We collect and process your Personal Data (a) for purposes that are required by applicable law and regulations, (b) to allow the Company to fulfil its business needs and legal obligations, and (c) to process your job application. The Personal Data we collect and process includes the following categories (where applicable to the application):

• Contact information: such as full name, including title, name at birth and preferred name, home address, home phone number, personal email address, mobile phone number and any current work contact details provided to us.
• Master data and qualified HR data: such as proposed job function and contractual details, education information (including grades), CV/resumé, nationality, passport information, residency status, date of birth, birth city and country, gender, marital status, primary language, language skills, visa type and information (work permit/business/etc).
• Job applicant information:such as candidate details, status, current employer, job history, work and corporate title, education, qualifications, references, criminal record checks, desired function and work location, licenses, certificates, work experience, CV/resumé information, public searches, including of social media.
• Health information: such as illness and accidents information, health, disability information. This type of Personal Data (known as sensitive or special categories of data) will only be processed where required for the relevant purposes.
• Compliance information: information required for regulatory or compliance purposes, such as information relating to outside business activities and information relating to personal account dealing.
• Security: details for passcards; CCTV images; voice recordings etc.

2. Sources of Personal Data

We may obtain Personal Data from the sources listed below:

• directly from you, such as through your data input into our website or Human Resources, the application process or via other forms or information you provide to us in connection with your job application;
• from third parties, including recruiters and employment agencies, references from third parties and other background screening checks, subject to the requirements of applicable law, and from former employers.

3. Information about dependants/contacts

If you provide us with Personal Data about members of your family and/or dependants or beneficiaries, it is your responsibility to inform them of their rights with respect to such information. You also are responsible for obtaining the explicit consent of these individuals (unless you can provide such consent on their behalf) to the processing (including transfer) of that Personal Data for the purposes set out in this Notice.

4. Purposes for processing Personal Data

The Company collects, processes, and otherwise uses your Personal Data for purposes (a) that are required by applicable law and regulations (b) to allow the Company to fulfil its business needs and legal obligations and public health reasons and (c) to process your job application. These purposes also include:

• the exercise of our rights under local laws and compliance with applicable legal and regulatory requests and obligations (including investigations in relation to the same) and audit requirements; and
• to establish or defend legal claims and allegations.

We will not use your Personal Data for the purposes of marketing to you unless you expressly consent to us doing so.

5. Disclosure of Personal Data

Your Personal Data will be disclosed within the Company only to those individuals who need access to your Personal Data to perform their duties for the purposes listed in Section 4 above or where required or permitted by applicable law.

The Company may also disclose your Personal Data to affiliates of the Company (together all such affiliates the “Group”) for pursuing the purposes listed in Section 4 above or where required by applicable law. Within the Group, your Personal Data will be disclosed only to a limited number of restricted individuals within the information technology, human resources, legal, finance, regulatory and compliance, accounting department as well as certain managers (i.e. only persons with assigned responsibility or managerial responsibility for the employee or groups of employees) to the extent any of these functions need access to your Personal Data in connection with their job responsibilities. Access will be provided on a need-to-know basis.

The Company may also disclose your Personal Data to third parties, including those providing information technology support or technical and organisational services in connection with human resources-related activities or legal, compliance audit or other advisors to the Company for the purposes referred to in this Notice. The Company will exercise appropriate due diligence in the selection of its third party service providers, and require that such providers maintain adequate technical and organisational security measures to safeguard your Personal Data, and to process your Personal Data only as instructed by the Company or a member of the Group and for no other purposes.

6. International transfer of Personal Data

Due to the multinational character of the Group, some of the affiliates and other recipients listed in Section 5 above may be located in countries (including the United States) that do not provide a level of data protection equivalent to that set forth by the law in your home country. The Company transfers Personal Data to Canada which is deemed to have adequate data protection laws by the European Commission.  The Company will take appropriate steps to make sure that such recipients act in accordance with applicable law. To the extent that the Company transfers the Personal Data to recipients which are located outside the European Union or the European Economic Area, the Company will provide an adequate level of protection of your Personal Data, including appropriate technical and organisational security measures and through the implementation of appropriate contractual measures to secure such transfer, in compliance with applicable law.

The Company uses standard contractual clauses in the form approved by the European Commission (http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087).

7. Legal basis for processing Personal Data

The Company’s employment obligations and contractual obligations, the need to take pre-contractual steps and its legal obligations as well as its legitimate business interests and/or public health reasons under the Data Privacy Laws form the legal basis of the processing described in this Notice. Our legitimate interests or those of a third party include our requirements to use your Personal Data in litigation, investigations, regulatory or governmental enquiries or for other legal or regulatory purposes involving the Company and/or any affiliate of the Company and may also include the need to transfer your Personal Data to third countries without adequate data protection laws. In this event, we will take reasonable steps to protect your Personal Data as required by the Data Privacy Laws.

8. Data security

We maintain physical, technical, and organisational security measures to protect the Personal Data against accidental, unlawful, or unauthorised destruction, loss, alteration, disclosure, or access, whether it is processed in your local jurisdiction, the United States, or elsewhere. Our Information Security policy governs how we protect your Personal Data. Please ask the HR Team if you would like a copy of this.

9. Retention, Access and Accuracy of Personal Data

We intend to keep your Personal Data accurate and up-to-date. We also strive to retain your Personal Data no longer than is necessary to carry out the purposes listed in this Notice or than is required by law. The Company retains your Personal Data for a maximum of seven years following the end of your job application process or, if you become employed or engaged, from the end of your employment or other business relationship.

If changes need to be made to Personal Data, notify the Data Protection Officer (as identified below) in writing right away. Under applicable law, you have rights to: (i) check whether we hold Personal Data about you and to access such data (subject to applicable laws); (ii) request correction of Personal Data about you that is inaccurate; (iii) ascertain information related to the Company’s policies and practices in relation to Personal Data; (iv) request the erasure of your Personal Data; and (v) request the restriction of processing concerning you. In certain circumstances, you also may have the right to request restrictions or object for legitimate reasons to the processing of your Personal Data in accordance with the Data Privacy Laws. Further, you have the right to transfer your Personal Data to third parties pursuant to Article 20 of the GDPR.

10. Rights to raise concerns

You have the right to raise concerns to the Company or to a supervisory authority about the Company’s processing of your Personal Data. If you wish to raise concerns with the Company, please contact the Data Protection Officer at DPO@varicent.com. The applicable supervisory authority of the Company is the Information Commissioner’s Office in the UK.

11. Questions

If you have any questions about this Notice or wish to (i) access or review your Personal Data or learn more about who has access to your Personal Data, or (ii) make another type of request related to your Personal Data, please contact the Data Protection Officer at DPO@varicent.com.

This Notice is dated 10^thSeptember 2020.