Privacy Notice for
Prospective Employees

This Privacy Notice covers any candidate data that is collected by Nortal for the recruiting process. This may include but is not limited to the following information:

1. Your name (first and last name), contact details and candidate status.
2. Information included in your CV or cover letter, such as employment history, academic background, skills and competencies, personal interests, languages spoken, photos and questionnaire results. Nortal does not require applicants to submit a photograph and photographs will play no role in any hiring decision. Where you voluntarily include a photograph in your application materials, we will process it solely to the extent necessary to manage your application and in accordance with applicable law. In certain jurisdictions (including Germany and Austria), we strongly advise that you do not include a photograph. In certain jurisdictions (including Germany, Austria, and the United States), we strongly advise that you do not include a photograph, as photographs are not required and their inclusion may give rise to concerns under applicable anti-discrimination legislation.
3. Job preferences and type of employment sought and willingness to relocate.
4. Names and contact details of referees. Please note that it is your responsibility to obtain consent from your referees prior to providing us personal information about them.
5. Salary expectations. Collection of salary history information is subject to applicable local law and will not be sought where prohibited. Nortal Group may, subject to your consent, collect data from third parties, in order to conduct employment background check, to the extent this is permitted by the applicable law
6. Also notes about the candidate may be created by persons working for Nortal Group to process, manage candidates and to handle communication through and in-between recruiting activities. This may be based on video or audio recordings and transcripts thereof.
7. Special Categories of Personal Data In limited circumstances, we may process special categories of personal data (as defined under applicable law), such as information relating to health or disability where you voluntarily provide it in connection with a request for a reasonable adjustment to the recruitment process. Such data will be processed on the basis of explicit consent and/or applicable law. We will not request special category data beyond what is strictly necessary.

During the recruitment process we might ask you to participate in assessment days, complete tests, or occupational personality profile questionnaires, and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test, or we might take interview notes.

Where required by applicable law, when collecting personal data from you, Nortal will clearly indicate which fields are mandatory and which are optional. Providing optional data is voluntary and refusal will not affect your application process. However, failure to provide mandatory data may prevent us from processing your application and/or fulfilling our contractual and legal obligations.

We may publish job openings on occupational platforms, and we may also find you based on your availability and profile settings in the same. In the event you apply for an opening at Nortal through an application function on an occupational platform or similar online service provider (“Partner”), it is important to note that the relevant Partner may retain your personal data and may also collect data from Nortal in respect of the progress of your application. This includes our recipients of personal data (see below) that may, depending on their features, enrich data by way of analytics and collecting data about a candidate based on publicly available information about you.

We may also receive your personal data from a third party who recommends you, or informs us of your eligibility, as a candidate for a specific opening or for our business more generally.

Candidate assessment days, tests or occupational personality profile questionnaires, attending an interview – or a combination of these will result in personal data generated by you, us and potentially a third in the event that there is third party involvement (“Partner”). Any use by a Partner of your data will be in accordance with the Partner’s Privacy Notice and subject to the terms and conditions between you and Partner on one hand, and Nortal Group and Partner on the other.

As part of our recruitment process, we may use an artificial intelligence tool called Metaview to assist with our interview process. If the use of Metaview is planned, candidates are informed accordingly in the meeting invite. During your interview, based on your consent, we will collect and process the following personal data:

• Audio and video recordings of your interview
• Transcriptions of your interview generated by Metaview
• Any other information you choose to share during the interview. process

The tool enables our recruiters to stay fully present during the interview. The notes taken are always subject to human oversight.

Your personal data is processed for the purposes of managing Nortal’s recruitment related activities. Consequently, Nortal may use personal data in relation to the evaluation and selection of applicants as needed in the recruitment process, including procuring manpower. In particular, your data is processed for the following purposes:

• Identifying potential candidates for open or future positions;
• determining your qualifications for employment and reaching a recruitment decision;
• evaluating your suitability for other employment vacancies and comparison with other candidates;
• verifying the data you submit through referees;
• conducting background checks (subject to the applicable national legislation);
• informing you, via e-mail, SMS or otherwise about the progress of your application for employment with Nortal;
• protecting our rights and fulfilling our legal obligations; and
• informing you, via e-mail, SMS or otherwise about other local or global vacancies at Nortal that we consider you suitable to make an application of employment for;

• enhancing information that Nortal Group receives from you with information obtained from third party data providers.

Should your application for employment be successful, your personal data submitted for hiring purposes may be processed for the necessary employment purposes and included in your employment file.

If Nortal does not employ you, Nortal may (subject to your freely given consent) nevertheless continue to retain and use your personal data collected during the recruitment process in order to consider you for new positions.

Legal basis: Lawful, fair and transparent data processing is at the core of Nortal Group recruitment process. Nortal processes the personal data generated throughout the recruitment and communication process on the following basis. The legal bases set out below are expressed primarily in terms of the GDPR and UK GDPR. For applicants in jurisdictions outside the EU/EEA and UK, equivalent or analogous legal bases under applicable local law apply, as summarised below:

• Canada (PIPEDA / Quebec Law 25): Processing is based on your knowledge and consent, except where an exception applies under applicable law. Quebec residents are entitled to additional disclosures regarding automated processing.
• United States: Processing is conducted in compliance with applicable federal and state privacy laws, including the CCPA/CPRA for California residents. No personal information is sold.
• Saudi Arabia (PDPL): Processing is based on consent, contractual necessity, or compliance with a legal obligation, in accordance with the PDPL and its Implementing Regulations.
• UAE (PDPL): Processing is based on consent or another lawful ground under Federal Decree-Law No. 45/2021.
• Oman (PDPL): Processing is conducted in accordance with Royal Decree No. 6/2022.
• Mexico (LFPDPPP): Processing of non-sensitive personal data is based on consent (which may be implicit in the act of applying); processing of sensitive personal data requires express written consent.
• Colombia: Processing is conducted in accordance with the Law 1581 of 2012 and its regulatory decrees.
• Uruguay: Processing is conducted in accordance with the Law 18381.

Only selected employees of Nortal Group, such as management team members, potential future line managers or HR staff, and selected third parties who support us with the recruitment process, have access to your personal data. Except as set out in this policy or as required by law, your personal data will not be supplied to any third party without your explicit authorization.

Globally, unless provided otherwise, we use a third-party service provider to provide a recruiting software system (iCIMS, Inc. https://www.icims.com/). iCIMS maintains compliance with applicable data protection laws. For more information, see iCIMS's privacy policy. When needed for technical support and maintenance, employees of iCIMS might have limited access to your data. Also notes about the candidate may be created by persons working for Nortal Group in order to process, manage candidates and to handle communication through and in-between recruiting activities.

Your personal data shall not be kept for longer than is necessary for the recruitment process.

Therefore, as a general rule within Nortal Group, unless stated otherwise in this policy, unsuccessful application data without consent to contact you for other positions, will be deleted after 2 years, taking into consideration our legal obligations or to defend against any claims arising from legal regulations. .

In addition to using your data for the position for which you have applied, Nortal may retain and use your application data to consider you for other positions, but only with your explicit consent for a maximum period of 2 years. In the event we wish to further maintain your personal data, we will contact you separately to acquire your consent.

In case you applied for a job located in Germany, Austria, UK or Bulgaria your data will only be stored for a period of 180 days beyond the termination of the application process. This is usually done to fulfill legal obligations or to defend against any claims arising from legal regulations. We are then obliged to delete or anonymize your data. In this case, the data is only available to us as so-called metadata without direct personal reference for statistical evaluations (e.g. women’s or men’s share of applications, number of applications per period, etc.). In addition, we reserve the right to store your data for inclusion in our “Talent Pool” for 180 days longer if you agree in order to identify any other interesting positions for you.

In case you applied for a job located in South America (including Mexico) your data will be stored for a period of 3 years beyond the termination of the application process. This is usually done to fulfill legal obligations or to defend against any claims arising from legal regulations. We are then obliged to delete or anonymize your data. In this case, the data is only available to us as so-called metadata without direct personal reference for statistical evaluations (e.g. women’s or men’s share of applications, number of applications per period, etc.). In addition, we reserve the right to store your data for inclusion in our “Talent Pool” for 3 years longer if you agree in order to identify any other interesting positions for you.

If you receive and accept an offer for employment with us as part of the application process, we will store the personal data collected during the application process for at least the duration of the employment relationship.

You can nevertheless always ask Nortal to delete your data by sending your request via e-mail to privacy@nortal.com (globally) or auskunftsersuchen@nortal.com (Germany) or by letter to the addresses available herein.

Your rights depend on the jurisdiction in which you reside or in which you are applying for a role. The following is a summary:

EU/EEA (including Estonia, Germany, Austria, Finland, Lithuania, Poland, Bulgaria) — under GDPR: You have the right to access, correct, erase, restrict processing, receive (data portability), object to processing, withdraw consent, and lodge a complaint with a supervisory authority. You may lodge a complaint with the supervisory authority in the EU/EEA state where you work, normally live, or where any alleged infringement occurred.

United Kingdom — under UK GDPR: You have the same rights as under EU GDPR (as transposed into UK law). To lodge a complaint, contact the Information Commissioner's Office (ICO): www.ico.org.uk or call 0303 123 1113.

Serbia — under the Law on Personal Data Protection: You have rights broadly equivalent to GDPR rights. Complaints may be lodged with the Commissioner for Information of Public Importance and Personal Data Protection: www.poverenik.rs.

Ukraine — under the Law on Personal Data Protection: You have rights of access, correction, deletion, and objection. Complaints may be submitted to the Ukrainian Parliament Commissioner for Human Rights (Ombudsperson).

Canada — under PIPEDA / Quebec Law 25: You have the right to access and correct your personal information. Quebec residents additionally have the right to de-indexing and to be informed of automated decision-making. Complaints may be directed to the Office of the Privacy Commissioner of Canada (www.priv.gc.ca) or, for Quebec residents, to the Commission d'accès à l'information (CAI).

United States — under applicable state laws: Depending on your state of residence, you may have the following rights:

• California (CCPA/CPRA): Right to know what personal information is collected, disclosed, or sold; right to delete; right to correct; right to opt out of the sale or sharing of personal information; right to limit use of sensitive personal information; right to non-discrimination for exercising your rights. To exercise your rights, contact us at privacy@nortal.com. We do not sell your personal information. We do not use your personal information for cross-context behavioural advertising.
• Virginia, Colorado, Connecticut, Texas, and other states with comprehensive privacy laws: You may have rights to access, correct, delete, and obtain a copy of your personal information, and to opt out of targeted advertising. Contact us at privacy@nortal.com to exercise these rights.

Saudi Arabia — under the Saudi PDPL: You have the right to access your personal data, request correction, request deletion (where legally permitted), object to processing, and withdraw consent. Requests should be directed to privacy@nortal.com. Complaints may be submitted to the SDAIA/NDMO.

United Arab Emirates — Under Federal Decree-Law No. 45/2021: You have the right to access, correct, and request deletion of your personal data, and to withdraw consent at any time. For mainland UAE, complaints may be submitted to the UAE Data Office. If your application relates to a role within the DIFC, complaints may be directed to the DIFC Commissioner of Data Protection; for ADGM roles, to the ADGM Registration Authority.

Oman — under the Oman PDPL: You have rights of access, correction, deletion, and objection to processing. Complaints may be submitted to the Information Technology Authority (ITA): www.ita.gov.om.

Mexico — under the LFPDPPP (ARCO Rights): You have the right to Access, Rectification, Cancellation, and Opposition (derechos ARCO) in relation to your personal data. Complaints may be lodged with the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI): www.inai.org.mx.

Colombia — under Law 1581/2012: You have the right to access, update, correct, and delete your personal data, and to revoke consent. Complaints may be lodged with the Superintendencia de Industria y Comercio (SIC): www.sic.gov.co. Before submitting a complaint to the SIC, you must first submit your complaint directly to Nortal at privacy@nortal.com and allow us the opportunity to respond. You may escalate to the SIC only after this internal process has been completed or if you do not receive a response within the applicable timeframe.

Uruguay — under Law 18.331: You have rights of access, rectification, and deletion. Complaints may be lodged with the Unidad Reguladora y de Control de Datos Personales (URCDP): www.gub.uy/urcdp.

To exercise any of these rights, contact us at privacy@nortal.com or by post to the relevant Nortal company address listed in Section 2. We will respond within the timeframe required by the applicable law.