Last updated: December 2022
NAVEX, including its applicable affiliates and subsidiaries, are committed to respecting your privacy and we recognize the need to appropriately protect and manage any personally identifiable information, or personal data, we obtain about you.
This Candidate Privacy Notice (“this Notice”) describes the types of personal data (or “personal information”) we may collect, how and why we may use your personal data, how long we may retain your personal data and how we protect your personal data. In addition, this Notice provides you with certain information that must be provided under applicable laws, including the General Data Protection Regulation ((EU) 2016/679) and the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) and its implementing regulations (collectively the “CCPA/CPRA").
If you are located in the UK or European Economic Area, NAVEX Global, Inc. is the data controller in relation to your personal data.
The kind of information we obtain about you
In connection with your application for work with us, we may collect, store, and use the following categories of personal information about you:
- The information you have provided to us in your curriculum vitae and cover letter.
- The information you have provided on our application form, including name, title, address, telephone number, personal email address, employment history, qualifications.
- The information provided to us in connection with a pre-employment aptitude test.
- Any information you provide to us during an interview.
- Information relating to criminal convictions and offences.
- Information relating to your credit record and financial worthiness.
- Information relating to your health.
- Information relating to your racial or ethnic origin.
What are the sources of your personal information?
We may collect personal information about candidates from the following sources:
- You, the candidate or your devices.
- Our affiliates and subsidiaries.
- Recruitment and talent management agencies.
- Vendors who provide services on our behalf.
- Social networks, such as your public professional networking profile.
- Employees and others who refer you to us.
- Credit bureaus, credit reporting service provider, background check services
How will we use information about you?
We may use your personal data to:
- Assess your skills, qualifications, and suitability for the role.
- Carry out background and reference checks, where applicable.
- Communicate with you about the recruitment process.
- Provide you a pre-employment aptitude or skills test.
- Keep records related to our hiring processes.
- Comply with legal or regulatory requirements.
- Decide whether to offer you employment and enter into a contract of employment with you.
- Contact you about suitable alternative roles in the event that your application is not successful.
Having received your CV, cover letter and/or your application form, we will then process that information to decide whether you meet the basic requirements to be screened by our in-house recruitment team. Once screened by our in-house team, we will decide whether your application is strong enough to invite you for an interview, be it by telephone, in person or other electronic means. You may be invited to take a pre-employment aptitude or skills test as part of our screening process. If we decide to engage you for an interview, we will use the information you provide to us during the interview to decide whether to offer you employment.
If you are a resident of the European Economic Area or the United Kingdom, we process your personal data for the purposes described above because (i) we have a legitimate interest in operating our business and managing the recruitment process, or (ii) because we are required to do so by law or to discharge our regulatory obligations. In addition, we may process your sensitive personal data and information relating to criminal convictions and offences as described below:
- We may process information relating to criminal convictions and offences, and information relating to your credit record and financial worthiness, for purposes of background checking and ensuring you are suitable for the role applied for, and we do so on the basis of your consent.
- We may process information relating to your health and disabilities for purposes of accommodating disabilities and making any required reasonable adjustments, and we do so because we are required by law.
- We may process personal information relating to your racial or ethnic origin for purposes of equality, diversity and inclusion monitoring, and we do so either with your consent or, if you are located in the United Kingdom, because it is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment.
If you fail to provide personal information
If you fail to provide the required information when requested (please note many sections of our application form is voluntary), which is necessary for us to consider your employment (such as evidence of qualifications or work history), we will not be able to process your application successfully and unable to take your application further.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
Data sharing with service providers and other countries
We will only share your personal data with third party partners as follows:
- For the purposes of processing your application;
- We may share your information with other companies within our ownership group if we believe they may have relevant vacancies you might be interested in;
- Any service provider or other entities in the group are required to take appropriate security measures to protect your personal information in line with our policies and applicable law. We do not allow service providers to use your personal data for their own purposes and only allow them to process your personal data for specified purposes and in accordance with our instructions.
As applicable, we may transfer your personal information to the United States in support of our employment and recruitment processes. Any such transfers will be in compliance with the EU-U.S. or Swiss – U.S. Privacy Shield principles. NAVEX and its U.S. affiliates, The Network, Inc. and Lockpath, Inc. ("NAVEX US") have committed to handling such information in accordance with the EU-US Privacy Shield and Swiss-US Privacy Shield Framework Principles as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from countries in the EEA. All NAVEX US companies have certified that they adhere to the Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity & Purpose Limitation, Access and Recourse, Enforcement & Liability (the “Principles”). However, in 2020, both frameworks were declared invalid as a legal mechanism that could be relied on for the lawful transfer and processing of personal information from the EEA, the United Kingdom, and Switzerland. Despite this, NAVEX continues to certify its compliance with the frameworks as a means of evidencing its continued commitment to protecting personal information from the EEA, the United Kingdom, and Switzerland and remains under the jurisdiction of the U.S. Federal Trade Commission. As required by the frameworks, any personal information we receive under the frameworks will be maintained in accordance with the Principles.
If there is any conflict between the policies in this Notice and the Principles, the Principles shall govern. To learn more about the Principles and to view our certification, please visit: https://www.privacyshield.gov/.
We have taken appropriate safeguards to require that the personal information we process will remain protected when transferred internationally. NAVEX relies on the European Commission’s Standard Contractual Clauses, a third-party service provider’s Binding Corporate Rules or other legally approved mechanism, for any transfer of personal information to non-EEA, United Kingdom, or Switzerland locations.
Personal information received by NAVEX following invalidation of the Frameworks will be transferred and processed in accordance with the applicable European Commission’s Standard Contractual Clauses. More information about Privacy Shield can be found here and more information about the Standard Contractual Clauses can be found here.
NAVEX entities located in the United States are subject to the investigatory and enforcement powers of the Federal Trade Commission.
If you are resident in the EEA and believe that your personal data has not been processed in compliance with the Principles, you may raise your complaint in a number of ways:
(1) You can contact us directly using the contact details provided below and we will respond to your complaint within 45 days of receipt:
(2) If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, you can contact your state or national data protection or labour authority in the jurisdiction where you work. We have committed to cooperate with the panel of the EU Data Protection Authorities (DPAs), and the state or national data protection authority where you work, to investigate unresolved complaints.
Under certain conditions, described more fully on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
We maintain administrative, physical, and technology-based security measures to protect your personal information against loss, misuse, unauthorized access or disclosure, destruction, and alteration. In addition, we limit access to your personal information to those employees, agents, contractors, and other third-party partners who have a business need-to-know. Such individuals will only process your personal information on our instructions and are subject to a duty of confidentiality.
NAVEX retains personal information about you for the time period reasonably necessary to achieve the purposes outlined in this Notice unless a longer retention period is required or permitted by applicable law, taking into account applicable statutes of limitations and records retention requirements under applicable law.
- Where you are not hired by us, we may retain your personal information for a reasonable period so that we can make you aware of any suitable alternative roles that arise during this period.
- We also retain your personal information so that we can demonstrate, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal information in accordance with applicable laws and regulations.
- Unless prohibited by applicable law, you can request that we not retain your personal information by notifying us at any time and we will delete your personal information.
You have certain rights regarding your personal information.
Rights provided under the Privacy Shield Frameworks to personal information transferred from European Union (EU) member countries and Switzerland to the United States. NAVEX respects your control over your information and, upon request, we will confirm whether we hold or are processing information that we have collected from you. You also have the right to amend or update inaccurate or incomplete personal information, request deletion of your personal information or request that we no longer use it. Under certain circumstances we will not be able to fulfill your request, such as if it interferes with our regulatory obligations, affects legal matters, we cannot verify your identity, or it involves disproportionate cost or effort, but in any event we will respond to your request within a reasonable timeframe and provide you an explanation. In order to make such a request of us, please use this web form.
European Economic Area, Switzerland or United Kingdom Citizen Rights. Individuals who reside in the European Economic Area (EEA), including Switzerland and the United Kingdom (UK) have additional rights reserved under the General Data Protection Regulation (GDPR), the UK Data Protection Act and/or ePrivacy Directive, as applicable. This section details those additional rights and information on how to exercise them:
- You may request to access, correct, update or request deletion of your personal information.
- You may request additional information related to the purposes for which we process your personal information, the categories of personal information we process, where we originally collected the information, who we share it with, and how long we will retain it.
- You may object to our processing of your personal information, request that we restrict the processing of your personal information or request portability.
- You have the right to opt-out of marketing communications we sent you at any time. You can do so by clicking the “unsubscribe” or “opt-out” link in the marketing emails we send to you. You may also opt-out of other forms of marketing (such as postal or telemarketing).
- Where we have collected and processed your personal information with your consent, you can withdraw your consent at any time. However, withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- Upon your request, and where it is technically feasible, NAVEX will provide you with a copy of your personal information or transmit it directly to another controller.
- If we process your personal information based on your consent, you have the right to withdraw your consent at any time.
- You have the right to submit a complaint to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authorities. Contact details for EEA data protection authorities are available here, and contact details for Swiss data protection authorities are available here. If you are located in the UK your local data protection authority is the Information Commissioner’s Office.
To make a request please use this web form or email us at email@example.com with “Personal Information Request” in the subject line, and provide us with full details in relation to your request, including your contact information and any other detail you feel is relevant. NAVEX will provide a response to an access request within 30 days of receiving such request or if we cannot, we will notify you and provide you with the reason for the delay.
Identity Verification Requirement. We are required by law to verify that any request submitted was made by someone with the legal right to access the data. Therefore, prior to accessing or divulging any information pursuant to a data subject access request, we may request that you provide us with additional information in order for us to verify your identity and legal authority.
Under certain circumstances we may not be able to fulfill your request, such as where doing so would interfere with our regulatory or legal obligations, where we cannot verify your identity, or if your request involves disproportionate cost or effort; in any event, we will respond to your request within a reasonable time frame and as required by law, and provide you an explanation.
California Resident Rights. If you are a California resident, please review the California Privacy Statement below for more information about your privacy rights.
Data protection officer
We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO by email, at firstname.lastname@example.org.
You have the right to make a complaint at any time to your local supervisory authority for data protection issues.
Cookies on NAVEX’s career site
For NAVEX’s Career Site (e.g. https://navexglobal.wd5.myworkdayjobs.com/en-US/NAVEX and related pages), NAVEX uses only cookies which are required for the website to function properly. NAVEX also uses a tracking pixel to track progress through our application process.
All cookies used on our Career Site are session-based. Session cookies make it easier to navigate our Career Site and disappear from your computer when you close your browser or turn off your computer.
These cookies cannot be switched off in our systems. They support session management (permitting timing out session after inactivity), security management (protecting web infrastructure against potential attacks), and routing (forwarding requests for a single session to the same server for consistency of service across pages within the Career Site). You can set your browser to block or alert you about these cookies, but some parts of our Career Site will not work if you block them.
California Privacy Statement
Last Updated: December 2022
This California Privacy Statement (the “Statement”) supplements the NAVEX Candidate Privacy Notice above and applies solely to California job candidates. This Statement does not apply to visitors of NAVEX’s website, representatives of NAVEX’s business customers and business partners, and NAVEX’s personnel. The statement uses certain terms that have the meaning given to them in the CCPA/CPRA.
Notice of collection and use of personal information
We may collect (and may have collected during the 12-month period prior to the last updated date of this Statement) the following categories of personal information about you:
- Identifiers: identifiers such as a real name, alias, postal address, unique personal identifier (e.g., device identifier, unique pseudonym, or user alias/ID), telephone number, online identifier, Internet Protocol address, email address, account name, login credentials, and other similar identifiers.
- Additional Data Subject to Cal. Civ. Code § 1798.80: signature, physical characteristics or description, and state identification card number.
- Protected Classifications: characteristics of protected classifications under California or federal law, such as gender, race, age, sex, national origin, citizenship status, and military and veteran status.
- Sensory Information: audio, electronic, visual and similar information.
- Employment Information: professional or employment-related information, such as résumé information, occupation details, education details, certifications and professional associations, historical compensation details, previous employment details, and pre-employment screening and background check information, including criminal records information) and emergency contact information.
- Skills Testing Information, such as typing skills, dependent upon the applicable role.
We may use (and may have used during the 12-month period prior to the last updated date of this Statement) the categories of personal information for the purposes described in the “How we will use information about you?” section of the Notice above and for the following Business Purposes as they are described in the CCPA/CPRA:
- Performing services.
- Certain short-term, transient uses.
- Helping to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for these purposes.
- Debugging to identify and repair errors that impair existing intended functionality
- Undertaking internal research for technological development and demonstration
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us.
NAVEX does not collect or process sensitive personal information with the purpose of inferring characteristics about job candidates.
Retention of personal information
NAVEX retains personal information about you as described in the “Data retention” section of the Notice above.
Sources of personal information
During the 12-month period prior to the last updated date of this Statement, we may have obtained personal information about job candidates from the categories of sources listed in the “What are the sources of your personal information?” section of the Notice above.
Disclosure of personal information
During the 12-month period prior to the last updated date of this Statement, we may have disclosed the following categories of personal information about job candidates for a business purpose to the following categories of third parties:
|Categories of personal information||Categories of third parties|
Additional data subject to Cal. Civ. Code § 1798.80
Skills testing information
In addition to the categories of third parties identified above, during the 12-month period prior to the last updated date of this Statement, we may have disclosed personal information about job candidates to government entities (e.g., in response to law enforcement requests) and third parties in connection with corporate transactions (e.g., mergers, acquisitions, joint venture, reorganization, divestitures, dissolution or liquidation).
NAVEX Global does not sell or share for cross-context behavioral advertising purposes personal information about job candidates.
California privacy rights
You have certain choices regarding your personal information, as described below.
Access: You have the right to request, twice in a 12-month period, that we disclose to you the personal information we have collected, used, disclosed and sold or shared about you during the past 12 months.
Correction: You have the right to request that we correct the personal information we maintain about you, if that information is inaccurate.
Deletion: You have the right to request that we delete certain personal information we have collected from you.
How to submit a request
To submit a request to access, correct, or delete your personal information, please use this web form or call us toll-free at 1-844-842-0916. To submit a request as an authorized agent on behalf of a consumer, please email us at email@example.com with the subject line Authorized Agent Request.
To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your personal information or complying with your request. For example, if you have an online account for HR purposes with us, we may verify your identity by requiring you to sign into an applicable account. Alternatively, we may reach out to you directly as our candidate for employment to verify your identity or require you to provide us information to enable us to verify your identity, for example your resume/cv or address information. In addition, if we cannot verify you through an online or this is inapplicable, and you ask us to provide you with specific pieces of personal information, we may require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.
If you designate an authorized agent to make a request on your behalf, depending on whether you have an online account with us, we may require that you verify your identity as set forth above. We also may require you to provide the authorized agent a written confirmation that you have authorized the agent to act on your behalf and the scope of such authorization.
If you choose to exercise any of your rights under the CCPA/CPRA, you have the right to not receive discriminatory treatment by us. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request. If you have any questions about this Statement or concerns about our privacy practices, please contact our DPO by email at firstname.lastname@example.org.