1. WHAT IS THE PURPOSE OF THIS DOCUMENT?
Exigy (the Company, our, us, we) is a data controller which respects the privacy of all those who share their personal data with the Company and is dedicated to protect the personal data it processes. You are being given a copy of this Privacy Notice because you have applied or have shown interest to work with us (whether as an employee, worker or contractor).
The purpose of this document is to provide you with certain information that must be provided according to the Data Protection Legislation. It also serves to make you aware of how and why your personal data will be used, during, and for the purpose of, the recruitment exercise. You will also be informed on how long the personal data will usually be retained for.
This Privacy Notice ceases to apply if you are successful in the recruitment process. If you are chosen to work with us you will be then expected to read and understand our Privacy Notice for Employees, Workers and Contractors.
It is important that you go through the following definitions section so that you acquaint yourself with the meaning of the technical words used in this Privacy Notice.
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‘data protection legislation’ means (i) unless and until the General Data Protection Regulation (GDPR) is no longer directly applicable in Malta, the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in Malta including the Data Protection Act (Ch 586 of the Laws of Malta) and then (ii) any successor legislation to the GDPR or the Data Protection Act (Ch. 586 of the Laws of Malta).
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
3. DATA PROTECTION PRINCIPLES
The Company strives to comply with Data Protection Legislation and principles. Thus your data will be:
• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about.
• Kept securely.
4. THE KIND OF INFORMATION WE HOLD ABOUT YOU
During the recruitment process, the Company will process the following type of personal information about you :
The information you have provided to us in your curriculum vitae and covering letter whether submitted electronically or in hard copy, by yourself or a recruitment agency.
• The information you have provided on our application form, be it online or physical, including name, title, address, telephone number, personal email address, date of birth, employment history, qualifications.
• Any other information you provide to us during an interview and technical tests if any.
• Information you provide in reference letters and certificates we may ask you to provide before or after the interview.
• We do not process or request you to provide us with any sensitive personal information, unless you voluntarily send it in your covering letter or CV. If we think that such information is irrelevant to the process we will inform you accordingly and securely delete that information
5. HOW IS YOUR PERSONAL INFORMATION COLLECTED?
We collect personal information about candidates from the following sources:
You, the candidate.
• The recruitment agency through which you were recommended, from which we collect the following categories of data: [curriculum vitae, covering letter, salary expectation ].
• Your named referees, from whom we collect the following categories of data: [employment history].
• Data from third parties which are a publicly accessible source [LinkedIn]
6. HOW WE WILL USE INFORMATION ABOUT YOU
We will use the personal information we collect about you to:
Assess your skills, qualifications, and suitability for the role.
• Carry out background and reference checks, where applicable.
• Communicate with you about the recruitment process.
• Keep records related to our recruitment processes.
• Comply with legal or regulatory requirements.
• Comply with our obligations towards the recruitment agency which recommended you.
• We also need to process your personal information to decide whether to enter into a contract of employment OR service with you.
Once we receive your CV and your application form or you have been referred by a recruitment agency, we will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, we will decide whether your application is strong enough to invite you for an interview.
If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the role. We might ask you to attend for a 2nd and 3rd interview before offering the role. If we decide to offer you the role, we might request that you provide us with a reference letter, unless you already did before the interview, before confirming your appointment.
If you fail to provide personal information
If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of work history or qualifications), we will not be able to process your application successfully. For example, if we require a reference for this role and you fail to provide us with relevant details, we will not be able to take your application further.
7. HOW WE USE PARTICULARLY SENSITIVE PERSONAL INFORMATION
We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example, whether adjustments need to be made during a test or interview.
Information About Criminal Convictions
We do not envisage that we will process information about criminal convictions during the recruitment stage.
8. AUTOMATED DECISION-MAKING
We don’t envisage that you will be subject to decisions that will have a significant impact on you based solely on automated decision-making.
Should the job vacancy you have applied for necessitate any decisions to be based solely on Automated Processing (including profiling), then you will be informed accordingly and you will be also notified with your right to object.
This right will be explicitly brought to your attention and presented clearly and separately from other information. You will also be informed of the logic involved in the decision making or profiling, the significance and envisaged consequences and you will also be given the right to request human intervention, express your point of view or challenge the decision.
9. DATA SHARING
We share your personal information with the following third parties for the purposes of processing your application: M. Demajo Services Ltd, who are our HR outsourcing providers.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
10. DATA SECURITY
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
11. DATA RETENTION
We will retain your personal information for a period of 12 months. After we have communicated to you our decision about whether to appoint you to the role. We retain your personal information for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with applicable laws and regulations.
If we wish to retain your personal information on file, on the basis that a further opportunity may arise in future and we may wish to consider you for that, we will write to you separately, seeking your explicit consent to retain your personal information for a fixed period on that basis.
12. DATA PROTECTION OFFICER (DPO)
We have appointed a data protection officer to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal information, please contact the data protection officer, Mr Angelito Sciberras on firstname.lastname@example.org.
13. RIGHTS OF ACCESS, CORRECTION, ERASURE AND RESTRICTION
Under certain circumstances, by law you have the right to:
Be Informed We are giving you this Privacy Notice to keep you informed.
Access Please contact our DPO if you wish to access the personal information we hold about you. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Rectification: Please contact our DPO if you wish to rectify your information. We will also rectify the information you have consented us to pass on to third parties, if it is the case.
Erasure: Please contact our DPO if you want us to erase all your personal data and we do not have a legal reason to continue to process and hold it.
Restrict Processing: Please contact our DPO if you want us to restrict processing of your data. In this case we will restrict processing but we will still hold the data.
Data Portability: Please contact our DPO if you want information on how to port your data elsewhere. This right only applies to personal data that you have provided to us as the Data Controller. The data must be held by us by consent or for the performance of a contract.
Object: You have the right to object to us processing your data even when we do so for our legitimate interests. If you wish to object please contact our DPO.
Withdraw Consent: If you have given us your consent to process your data but later changed your mind, you have the right to withdraw your consent at any time. Please contact our DPO in case you wish to withdraw consent.
Complain to a Supervisory Authority which in Malta is the Office of the Information and Data Protection Commissioner (IDPC). You have the right to complain to the IDPC if you feel that we have not responded to your requests to solve a problem. The IDPC is at Floor 2, Airways House, Triq il-Kbira, Tas-Sliema and can be reached on 2328 7100.