Recruitment Candidate Privacy Policy

Introduction

This Privacy Notice for Enara Bio (the “Company”) sets out the categories of your personal data we collect, how we collect it, what we use it for and with whom we share it, in accordance with applicable data protection legislation, including the General Data Protection Regulation (GDPR).

By personal data we mean any information relating to you such as your name and contact details. Personal data does not include data which has been anonymised, such as data from equal opportunities monitoring carried out on an anonymised basis.

Enara Bio will be the data controller in respect of the processing of your personal data and in this Privacy Notice “Enara Bio”, “we”, “us” or “our” refers to Enara Bio.

The data controller is responsible for deciding how personal data about you is used.

Should you have any questions about this Privacy Notice you can contact us using the details set out in the ‘Contact Us’ section below.

This Privacy Notice applies to personal data about you that we collect, use and otherwise process in connection with our recruitment, and if applicable, our offer and on-boarding processes. We do not require you to provide any special categories of personal data (as defined below), other than as set out below. We would recommend that you do not include any additional special categories of personal data in your application as it is unlikely to be relevant to the application process.

How do we collect data about you and what do we use it for?

We set out below the types of personal data about you which we may collect or create at each stage of the recruitment process In each case we have specified the purpose for which we use the relevant personal data and our ‘lawful basis’ for processing it. The law specifies certain ‘lawful bases’ for which we are permitted to use your personal data. Most commonly, we will rely on one or more of the following lawful bases for processing your personal data:

  • where it is necessary for the performance of the contract;
  • where it is necessary for compliance with a legal obligation to which we are subject; and/or
  • where it is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of our recruitment candidates, which require their protection.

Where relevant, we have considered whether the interests or fundamental rights and freedoms of our recruitment candidates override our legitimate interests and have formed the view that they do not.

Application and assessment process

In connection with assessing your application we process the following categories of personal data (see also the section entitled ‘Special categories of personal data’ below):

  • Information we collect from you at the application stage

We collect the personal data that you provide to us in your CV and covering letter. It is for you to decide what you include in these documents. However, the kinds of information you may wish to include are: name, contact details, details of your qualifications and information about your employment experience.

  • Information we collect from you in the course of interviews

If you are invited to undertake further assessments (such as an interview) in connection with your application and you participate in such assessments, we may collect further personal data that you provide to us as part of that process. The kinds of information you may disclose, include information about your qualifications and information about your employment experience. You may choose to disclose salary history or salary expectations.

  • Information we create ourselves

Throughout the recruitment process, we may create personal data in connection with the assessment of your application. For example, we may record the views of those considering your application about your suitability for the role for which you have applied and retain interview notes. We may contact the individuals whose names you provide to us and record their views on your previous performance and on your suitability for the role for which you have applied and retain notes of these conversations. We may also contact individuals in our network who may know you and record their views on your previous performance and your suitability for the role for which you have applied and retain notes of these conversations.

We may use your name and contact details to contact you in connection with your application, such as to invite you to undertake further assessments or to make you an offer of employment. We have a legitimate interest in facilitating the interview process and communicating offers of employment to you.

We may use the information we collect as part of the application and assessment process and the information that we create ourselves in connection with the assessment of your application for the purpose of assessing your suitability for the role for which you have applied. We have a legitimate interest in making informed recruitment decisions and selecting suitable candidates for roles with us.

If your application is successful

If your application is successful, we will collect further personal data about you as set out below as part of confirming your employment (see also the section entitled ‘Special categories of personal data’ below):

  • Background checking

We will undertake background checks, for example: obtaining evidence of employment from previous employers, verifying academic records and requesting a copy of your P45 (As relevant). We will use the personal data contained in such documents to verify the details provided by you in the recruitment process. We have a legitimate interest in maintaining standards of integrity and excellence in our workforce.

  • Identification information

We will collect copies of identification documents from you (such as your passport or driving licence, proof of address, a copy of your visa (where applicable), a photograph and a copy of your signature). We use this information to comply with immigration requirements and to verify your identity for our own internal security purposes. This personal data is required for us to comply with our legal obligations and for the performance of your employment contract with us.

Special Categories of Personal Data

There are more limited bases for processing special category personal data. This is personal data which reveals or contains:

  • racial or ethnic origin
  • biometric data
  • health data

We will process special category personal data because we have a lawful basis for doing so and because it is necessary:-

  • for the purposes of carrying out our obligations and exercising specific rights in the field of employment and social security law (employment law obligations); and/or
  • for the assessment of the working capacity of a successful candidate.

However, we may also process special category data because: it is necessary in relation to legal claims; it is necessary for reasons of substantial public interest or, in limited circumstances, you have given explicit consent.

The special categories of data about you which we may collect, store and use are set out in the table below and in each case, we have specified the purpose and our ‘lawful basis’ for processing it.

Category of special categories of personal data

Examples

Purpose

Lawful basis for processing

Medical/health information as part of the application process

Information re any mental or physical impairment which may cause a disadvantage to you during the recruitment process

To enable us to make any appropriate reasonable adjustments

Compliance with a legal obligation/employment law obligations

Immigration information (successful candidates only)

Passport, visa, work permit

To demonstrate right to work in the UK

Compliance with a legal obligation/employment law obligations

Medical/health information (successful candidates only)

Pre-employment provision of medical information

To ascertain medical information that may be relevant to the role and/or the need for any reasonable adjustments

Necessary for performance of contract/compliance with a legal obligation & employment law obligation/working capacity

What if you do not provide the personal data we request?

If you do not provide us with certain information when requested, it may impact our ability to assess your suitability for a role with us or we may not be able to make you an offer of employment.

Change of Purpose

We will only use your personal data for the purposes for which we collected it (as identified above), unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case it is no longer personal data.

With whom will we share your information?

We may share your personal data with third parties where this is required by law, where it is necessary to perform our contract with you, or where we have another legitimate interest in doing so.

Our service providers

Data transmitted as part of your application for a role at Enara Bio will be transferred using TLS encryption and stored in a database. This database is operated by “Personio” GmbH, which offers a human resource and applicant management software solution (https://www.personio.com/legal-notice/). In this context Personio is our processor under article 28 of the GDPR. In this case, the processing is based on an agreement for the processing of details between us as the controller and Personio. Further details regarding the processing of personal data by the operator of the recruitment website is located in Schedule 1, to this policy.

Additionally, we share personal data with third-party service providers that perform services and functions at our direction and on our behalf. Our service providers are our IT service providers, our recruitment service providers, our HR consultant, our finance service providers and our lawyers. We rely on service providers in order to effectively operate our business.

Third party companies associated with a sale or acquisition of the business

In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets

If Enara Bio or substantially all of our assets are acquired by a third party, in which case personal data may be one of the transferred assets.

Other third parties

We may need to share your personal data with a regulator or to otherwise comply with applicable law or judicial process. We may disclose your personal data if we are required by law to do so or if we reasonably believe that disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or another legal process. We may share your personal data where this is required by law, where it is necessary to perform our contract with you, or where we have another legitimate interest in doing so.

Processing of your personal data

Certain third-party service providers may be located outside the EEA. If we share your personal information with any service providers located outside the EEA, we will require such service providers to respect the security of your data and to treat it in accordance with the law.

Where we store your personal data

All information you provide to us will be stored on our secure servers. Once we have received your information, we will use appropriate technical and organisational measures to prevent unauthorised access, disclosure, loss or damage to your personal data.

How long will we retain your information?

We will only retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.

If you are successful in your application, we will retain the majority of the categories of personal data set out above for the duration of your working relationship with us and for a reasonable period of time after its termination as described in our employee privacy policy which will be made available to you once you become an employee. If you are unsuccessful in your application, we will retain the majority of the categories of personal data set out above for a reasonable period of time (no longer than twelve months) after the recruitment process has ended unless you have consented to us keeping it longer.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case it is no longer personal data.

Once we no longer require your personal data for the purposes for which it is processed, we will securely destroy your personal data in accordance with applicable laws and regulations and in accordance with our records retention policy.

Accuracy of information

It is important that the personal data we hold about you is accurate and current. Please let us know if your personal data changes during the recruitment process.

Your rights in relation to your information

Where the processing of your personal data is subject to the GDPR, you have rights as an individual which you can exercise in relation to the information, we hold about you under certain circumstances. These rights are to:

  • request access to your personal data (commonly known as a “subject access request”) and request certain information in relation to its processing;
  • request rectification of your personal data;
  • request the erasure of your personal data;
  • request the restriction of processing of your personal data;
  • object to the processing of your personal data; and
  • request the transfer of your personal data to another party.

If you want to exercise one of these rights, please contact using the contact details set out below. You also have the right to make a complaint at any time to a data protection supervisory authority. The Information Commissioner’s Office is the UK supervisory authority for data protection issues.

Fees

You will not usually have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is to ensure that personal data is not disclosed to any person who has no right to receive it.

Further information

This Privacy Notice was written with brevity and clarity in mind and is not an exhaustive account of all aspects of our collection and use of personal data. If you require any further information, please contact us, via the details provided on our website www.enarabio.com


Schedule 1

Processing of personal data by the operator of the recruitment website (“Personio”)

General information

Our recruitment website is operated by Personio GmbH, which provides a human resource and applicant management software system. Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole data controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, is deemed to be a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of details between the data controller and Personio. In addition, Personio GmbH processes further data, some of which may be personal data, to provide its services, to operate this recruitment website. We will refer to this in more detail below.

The Controller

The data controller under data protection law is:

Personio GmbH

Rundfunkplatz 4

80335 München

Telephone: + 49 89 1250 1005

Commercial register entry number: HRB 213189

Registration Court: Amtsgericht München (Munich Local Court)

Data Protection Officer contact: datenschutz@personio.de

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is necessary for security reasons, specifically for access, input, transfer and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analysed retrospectively when unlawful use of the software is suspected. The legal basis for this is section 15 subsection 1 of the German Telemedia Act (TMG), as well as article 6 (1) f) of the GDPR. Generally, data such as the domain name of the website, the web browser and web browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

Error logs are generated for the purpose of identifying and fixing bugs. This is necessary to ensure we can react as quickly as possible to problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this section 15 subsection 1 of the German Telemedia Act (TMG), as well as article 6 (1) f) of the GDPR. When an error message occurs, general data such as the domain name of the website, the web browser and the web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

Cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are necessary, functional or performance related, specifically for implementing certain default settings such as language, for identifying the job advertising channel, or for analysing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is critical for the provision of our services and thus for the performance of the contract (article 6 (1) b) of the GDPR).

Period of storage: up to 1 month or until the end of the browser session.

Right to object: you can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio as the data controller processes personal data, you as the data subject have certain rights under Chapter III of the EU GDPR, depending upon the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to the Personio’s Data Protection Officer.

Concluding provisions

Personio reserves the right to amend this data privacy statement at any time to ensure that it is in line with the current legal requirements, or in order to accommodate changes in services, for example, when new services are introduced.

Version Control

Version

Detail of amendment

Date

1.0

Initial issue

3rd June 2019

1.1

Name change and amendment for integration with Personio HR system

1st July 2020