Enara Bio Limited (the “Company”) is committed to protecting personal information that is collected and used by it. This notice applies to personal data about you that we collect, use and otherwise process in connection with our recruitment, and if applicable, our offer and on-boarding processes.
We explain in this notice how the Company collects and uses personal information and the choices you can make about the way your personal information is collected and used. This notice also provides information that we are required under data protection law to provide regarding the purposes and conditions of the processing of personal information.
I. Data protection principles
The Company is a “data controller”, which means that it is responsible for deciding how to hold and use your personal information. We comply with applicable data protection law. This means that when processing personal information for any purpose we must ensure it is:
- Used lawfully, fairly and in a transparent manner.
- Collected only for valid purposes that have been clearly explained and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up-to-date.
- Kept only as long as necessary for the purposes we have informed you about.
- Kept securely
II. What personal information may we hold about you?
We set out below the types of personal data about you which we may collect or create at each stage of the recruitment process.
Application and assessment process
In connection with assessing your application we process the following categories of personal data:
- Information we collect from you at the application stage
We collect the personal data that you provide to us in your CV and covering letter. It is for you to decide what you include in these documents. However, the kinds of information you may wish to include are: name, contact details, details of your qualifications and information about your employment experience.
- Information we collect from you in the course of interviews
If you are invited to undertake further assessments (such as an interview) in connection with your application and you participate in such assessments, we may collect further personal data that you provide to us as part of that process. The kinds of information you may disclose, include information about your qualifications and information about your employment experience. You may choose to disclose salary history or salary expectations.
- Information we create ourselves
Throughout the recruitment process, we may create personal data in connection with the assessment of your application. For example, we may record the views of those considering your application about your suitability for the role for which you have applied and retain interview notes. We may contact the individuals whose names you provide to us and record their views on your previous performance and on your suitability for the role for which you have applied and retain notes of these conversations. We may also contact individuals in our network who may know you and record their views on your previous performance and your suitability for the role for which you have applied and retain notes of these conversations.
We may use your name and contact details to contact you in connection with your application, such as to invite you to undertake further assessments or to make you an offer of employment. We have a legitimate interest in facilitating the interview process and communicating offers of employment to you.
We may use the information we collect as part of the application and assessment process and the information that we create ourselves in connection with the assessment of your application for the purpose of assessing your suitability for the role for which you have applied. We have a legitimate interest in making informed recruitment decisions and selecting suitable candidates for roles with us.
If your application is successful
If your application is successful, we will collect further personal data about you as set out below as part of confirming your employment (see also the section entitled ‘Special categories of personal data’ below):
- Background checking
We will undertake background checks, for example: obtaining evidence of employment from previous employers, verifying academic records and requesting a copy of your P45 (as relevant). We will use the personal data contained in such documents to verify the details provided by you in the recruitment process. We have a legitimate interest in maintaining standards of integrity and excellence in our workforce.
- Identification information
We will collect copies of identification documents from you (such as your passport or driving licence, proof of address, a copy of your visa (where applicable), a photograph and a copy of your signature). We use this information to comply with immigration requirements where necessary. This personal data is required for us to comply with our legal obligations and for the performance of your employment contract with us.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is to ensure that personal data is not disclosed to any person who has no right to receive it.
Occasionally, we may need to process personal data that would be categorised as “special categories of personal data” in accordance with Article 9 of UK GDPR (namely information that reveals particularly sensitive information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life and sexual orientation, genetic or biometric data), or information about any criminal convictions or criminal charges. If we process special categories of personal data about you, we will ensure that one or more of the legal grounds for processing special personal data applies.
We may record images of you, including footage from any closed circuit televisions (CCTV) cameras installed within an Enara Bio facility, or photographic images for other security or compliance purposes.
The above information will be held electronically and/or in hard copy form.
III. Why and how we process your personal information
The Company will only use and process your personal data where permitted to do so by law. The Company relies on several legal bases to use and process personal information about you, including that the processing is necessary for:
- The Company’s legitimate interests in establishing and managing the Company’s relationship with you (as long as your fundamental rights do not override those legitimate interests), and for related functions including personnel and administrative purposes, such as:
- Business processes such as maintaining business and statutory records, management analysis, audits, forecasts, planning, transactions, business continuity, diversity monitoring and labour risk prevention;
- The security of the workplace, Company systems, assets, workers and the personal information of workers, clients, and customers, including pre-employment checks, references and monitoring; and monitoring your use of Company systems where we have reasonable cause to do so in order to ensure compliance with applicable IT and security policies;
- Implementation of extraordinary operations, such as mergers and acquisitions, transfer of business or transfer of a branch of the business, and entering into joint venture agreements; and
- Programs and policies on training and development, job evaluation, rewards, planning, and organisation;
- The performance of employment and services contracts, including human resource administration, payroll and provision of benefits (including the operation and administration of share plans and similar employee incentivization schemes);
- Compliance with the Company’s obligations under applicable laws and regulations, such as accounting and tax requirements and in relation to staff insurance and pensions;
- Carrying out obligations and exercising rights under employment law;
- Preventative or occupational medicine or to assess the working capacity of our staff;
- Establishing, exercising or defending legal claims; and/or
- Where applicable, on the basis of your consent from which you may subsequently withdraw at any time without affecting the lawfulness of processing based on consent before its withdrawal. Once you have withdrawn any such consent, we will no longer process your personal information for the purpose you consented to, unless we have another legal basis for doing so.
Where relevant, we have considered whether the interests or fundamental rights and freedoms of our recruitment candidates override our legitimate interests and have formed the view that they do not.
We will not use automated decision-making (namely, where an electronic system uses your personal information to make a decision about you without human intervention) that will have a legal effect or other significant impact on you, unless: (a) we have a legal basis for using automated decision-making; and (b) we have provided notice to you.
If you do not provide us with certain information when requested, it may impact our ability to assess your suitability for a role with us or we may not be able to make you an offer of employment.
IV. Retaining your personal information
The Company will only hold your personal information for as long as it is relevant to your working relationship with us or as long as necessary to comply with any legal obligation or to fulfill the above-listed purposes.
If we anonymise your personal information so that you can no longer be identified from it, we may use such information without providing any further notice to you.
Once we no longer require your personal data for the purposes for which it is processed, we will securely destroy your personal data in accordance with applicable laws and regulations and in accordance with our Document Retention policy.
V. Sharing your personal information
Sometimes we will need to share your personal information with Enara Bio Inc. and third parties, including but not limited to external suppliers of HR benefits, professional advisers, insurers, service providers, public bodies, a prospective employer, or a new (or prospective) owner in the event of a change (or prospective change) of ownership of the Company - see below for more details and third parties. We will only do so when necessary for legitimate business purposes. For example, your personal information may be sent to the following categories of recipient for the following reasons:
- To other group companies that may carry out human resources shared services on our behalf for the purposes of human resource administration;
- Data transmitted as part of your application for a role at Enara Bio will be transferred using TLS encryption and stored in a database. This database is operated by Personio GmbH, which offers a human resource and applicant management software solution (https://www.personio.com/legal-notice/). In this context, Personio is our processor under Article 28 of UK GDPR. In this case, the processing is based on an agreement for the processing of details between us as the controller and Personio.
- To external suppliers to administer your benefits on our behalf (e.g. providers of private health insurance or pension);
- To our professional advisers and insurers;
- To competent public corporations, government authorities and law enforcement as may be required by law, including regarding tax, labour, social security and similar matters;
- To our carefully selected service providers appointed from time to time to provide services related to our business and under contract to us, such as processors of staff data, salary, expenses and other compensation information. Those service providers will be carefully selected and bound by appropriate contractual protections (such as to use appropriate measures to protect the confidentiality and security of personal data), where required by applicable data protection law;
- To a prospective employer, for example in response to a reference request;
- To any new (or prospective) owners, should there be a change (or prospective change) in the ownership of the Company, or business units or departments within the Company; and/or
- To external parties as required by law or legal process, or as otherwise authorised by you.
Your personal information may be transferred to group companies operating in countries outside the UK and European Economic Area (“EEA”). In addition, we share your personal data with others outside the UK or the EEA from time-to-time, such as law enforcement agencies, regulatory bodies and the Company’s service providers. Data protection laws may or may not apply in jurisdictions outside the UK and/or EEA or may not be as stringent as those in the UK and/or EEA.
We will only share personal data with others outside the EEA or the UK when we are legally permitted to do so, namely where:
1. the EU Commission or UK government (as relevant) has decided that the relevant country has adequate protective rules in relation to data protection in place (an “adequacy decision”);
2. we have entered into the relevant “standard contractual clauses” with the recipient of your personal data (these are a set of obligations about how your data is protected and used, a copy of which you can obtain by contacting firstname.lastname@example.org); or
3. we can rely on another basis under the law such as that we have to share the personal data because this is necessary for the purpose of a court case, investigation or to protect our legal rights.
Any data transfers from the EEA to the UK will be on the basis of the data transfer provisions under the Brexit deal between the UK and the EU for as long as these are in place. When that period has ended, any transfers from the EEA to the UK will be undertaking on the basis of one of the above three ways.
VI. Your rights
You are entitled to request access to or rectification of personal information relating to you that is held by the Company, in each case in accordance with applicable law. You are also entitled in certain circumstances to request the erasure or restriction of processing of your personal information, to object to processing of such information, or request your personal data be ported (transferred) to another company, again in accordance with applicable law. The contact listed in Section VIII below will be able to explain how to do this. We will provide you with a response in accordance with applicable data protection law. The Company may refuse to comply with such a request in limited circumstances under applicable law. In certain limited circumstances, we may also charge you a reasonable fee to access your personal data; however, we will advise you of any fee in advance.
If, having considered the personal information we hold about you, you find that it is inaccurate or you otherwise have any concerns, you may request that your information be amended, erased or restricted in accordance with applicable law.
VII. Securing your personal information
We take appropriate measures to ensure the security and confidentiality of the personal information we hold concerning you and to limit access to that information. Details of these measures are available from the contact listed in Section VIII below.
VIII. Contact information
If you have a concern relating to the Company’s handling of your personal information or a question relating to this notice, please contact Bethany Turner at email@example.com.
While we hope that we can answer any questions or concerns you may have, if you have unresolved concerns you also have the right to lodge a complaint before the relevant data protection authority. The UK’s data protection authority is the Information Commissioner’s Office.