Candidate Privacy Notice

Meniga (collectively, “the Company", "we," or "us") is a "controller" in relation to your personal data. This means that we are responsible for deciding how we hold and use personal information about you. You are being sent a copy of this privacy notice because you are applying for work with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under the law applicable to the Meniga company the position in which you apply for (in principle, either the EU General Data Protection Regulation or UK General Data Protection Regulation and related legal acts such as employment law).

Please be aware that Meniga's processing of personal data is always subject to local law requirements. To the extent this notice conflicts with local law, local law will apply. For country specific information please go to Appendix 1 at the bottom of this document.

Data protection principles

We will comply with data protection law and principles, which means that your data will be:

• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.

The kind of information we hold about you

1 Meniga refers to all companies from the Meniga Group, that is (1) Meniga Limited registered in England and Wales (reg, no. 08822710), (2) Meniga Iceland ehf., registered in Iceland (reg. no 571215-0200), (3) Meniga Poland sp. z o. o., registered in Poland (reg. no 0000711422), and (4) Endurgreiðslutilboð ehf. registered in Iceland (reg. no. 621014-0130).

In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:

• The information you have provided to us in your curriculum vitae and covering letter.
• The information you have provided on our application form, including name, address, telephone number, personal email address, date of birth, employment history, qualifications, salary expectations and availability date.
• Any information you provide to us during an interview.
• Competency test results (if any).
  We may also collect, store and use the following types of more sensitive personal information:
• Immigration checks.

Information about criminal convictions and offences if required or allowed under the applicable law and necessary for the role you are applying for.

How is your personal information collected?

We collect personal information about candidates from the following sources:

• You, the candidate.
• Recruitment agencies if they conduct the recruitment process on our behalf.
• Appropriate government authorities in respect of criminal convictions and immigration documents (depending on the procedure under the applicable law).
• Your named referees, if you consented to this.
• We may also check publicly available data on your LinkedIn profile.

How we will use information about you
We will use the personal information we collect about you to:

• Assess your skills, qualifications, and suitability for the role.
• Communicate with you about the recruitment process.
• Keep records related to our hiring processes.
• Establish, exercise or defend against legal claims.
• Comply with legal or regulatory requirements.
• Carry out background and reference checks, where applicable.
• We also need to process your personal information to decide whether to enter into a contract with you.

Having received your CV and covering letter or your application form, we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an interview where we might want you to take some tests. If we decide to contact you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the role. If we decide to offer you the role, we will then take up references and carry out a criminal record check (if applicable) before confirming your appointment.

If you fail to provide personal information

If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require certain qualifications for this role and you fail to provide us with relevant details, we will not be able to take your application further.

Automated decision-making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

Data sharing

Why might we share your personal information with third parties?

We will only share your personal information with the following third parties for the purposes of processing your application: other entities within the Meniga group, suppliers of job advertisement publishing services and recruitment management systems, suppliers of IT systems and services such as hosting and HR management. All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Cross-Border Data Transfers

Where permitted by applicable law, we may transfer the personal data we collect about you to the United States and other jurisdictions that may not be deemed to provide the same level of data protection as your home country, as necessary for the purposes set out in this Privacy Notice. If you are located in the UK or EU/EEA2, we have implemented standard data protection clauses adopted by the EU Commission or other data protection mechanism indicated in Article 46 of the GDPR (or at the very least we rely on another arrangement adopted by the EU commission such as EU Commission’s adequacy decisions) to secure the transfer of your personal data to the United States and other jurisdictions.

Data Security

We have implemented appropriate physical, technical, and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure. In addition, we limit access to personal data to those employees, agents, contractors, and other third parties that have a legitimate business need for such access.

Data Retention

We will retain your personal information for a period of six months after the recruitment process ends (but please check Appendix 1 for other country-specific periods). We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations.

If we wish to retain your personal information on file (or you wish so yourself), on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will ask your explicit consent to retain your personal information for a fixed period on that basis.

Rights of Access, Correction, Erasure, and Objection

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a data subject access request). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us in writing (including via email).

What we may need from you

We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal data that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in these circumstances.

Right to Withdraw Consent

Where you have provided your consent to the collection, processing, or transfer of your personal data, you may have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, if applicable, contact us at dpo@meniga.com.

Data Protection Officer

We have appointed Head of Legal to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal data, or would like to request access to your personal data, please contact the Head of Legal and Data Protection Officer at: dpo@meniga.com. If you are unsatisfied with our response to any issues that you raise, you have the right to make a complaint with the data protection authority in your jurisdiction by contacting the data protection authority.

Changes to This Privacy Notice

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any updates. We may also notify you in other ways from time to time about the processing of your personal information.

Contact Us

If you have any other questions about our processing of your personal data or would like to make an access or other request, please contact us at: dpo@meniga.com.

APPENDIX 1
COUNTRY SPECIFIC INFORMATION
Poland

The kind of information we hold about you, the purposes we use them for and legal grounds

In connection with your application for work with us, we will collect, store, and use the following categories of personal information about you:

• To fulfil our legal obligations – information indicated in the Labor Code or other applicable legal provisions (in particular name, contact information, date of birth, employment history, education and qualifications), if you apply for an employment contract (if you apply for other types of contracts these information are collected based on the bullet points below).
• processing is necessary in order to take steps at your request prior to entering into a contract (in particular availability to commence work, salary expectations, information about interviews and our assessment of your capabilities).
• based on our legitimate interest (e.g. results of your competence tests, information collected from professional and business portals, e.g. LinkedIn, data necessary for the cooperation with recruitment agencies, establishing, pursuing or defending of legal claims);
• based on your consent (data that you voluntarily include in your CV/recruitment application, e.g. your image, hobbies, references from former employers as well as future recruitment processes – if you provide us with a specific consent in this regard);
• to comply with our legal obligations and ensure your specific rights (e.g. sensitive data regarding your disability or immigration status).

Providing personal data specified in the Labor Code or other provisions of law, necessary in our legitimate interest as well as data necessary to take action at your request before concluding the contract is mandatory to participate in the recruitment process. Providing other information is voluntary.

Data Retention

We will retain your personal information for a period of no longer than three years after the recruitment process ends. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations

Candidate Privacy Notice

Version 1.0
Adopted by Meniga on 25th March 2024