Data Protection Declaration for Candidate

("Bankeaz | Data Protection Declaration for Candidate") (Version: 1.0, Date: 01.07.2024)

Data Protection Declaration for Candidate

In the following Data Protection Declaration, we shall inform you according to Art. 13 and Art. 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) about the collection, use and processing of your personal data in connection with your application process for a job position/role in a company from Arcadia Group (hereinafter referred to as “Arcadia”), considering that Bankeaz, the Arcadia Group's digital product, is totally part of the Arcadia Group, the contact emails in this declaration will be under the bankeaz.com domain. i.e. contact@bankeaz.com.

Controller

The controller for the processing of your personal data for the evaluation of your application is the company from Arcadia Group to which you are applying for a specific job position/role (please see job description).

If your application is successful, and if we decide to do so, we will process your personal data to provide you with a contract offer and to later create an employee account for you that will also allow you to access and manage your data.

If your application is rejected, Arcadia AG (Zurich, Switzerland) will be the controller for storing your data (after the 6 months retention period) and if you provide consent for that processing as better explained below.

If you have any questions about this following Data Protection Declaration or your personal data, or wish to exercise any of your rights as described in this declaration or under applicable data protection laws, you can contact Arcadia’s Data Protection Officer through dpo@bankeaz.com.

Processing purposes and legal bases

In order to assess your application we process your personal data on the legal basis of Art 6 para (1) b) GDPR as it is necessary in order to take steps prior to the decision to establish an employment relationship.

If your application is rejected we will store your personal data for a period of 6 months according to Art 6 para (1) f) GDPR, namely our legitimate interest to comply with legal obligations deriving from the applicable local labor obligations as well as on legislation regulating fair and equal treatment.

After the 6 months mentioned, if you provide your consent to Arcadia AG in accordance with Art 6 para (1) a) GDPR, Arcadia AG will store and process your personal data to contact you later to let you know of any open positions for which we believe you would be a potential fit. Your consent may be withdrawn at any time. Please see section “Your rights” below.

To improve our recruiting process we will send you an email with a completely voluntary survey where you can provide anonymous feedback regarding your experience.

We send out these emails in accordance with Art 6 para (1) f) GDPR to carry out our legitimate interest in improving our processes based on user experience.

If your cover letter or other documents submitted, or even any professional social network profile, contain "special categories of data" according to Art 9 (1) GDPR (e. g. a photo that reveals ethnic origin, information on severe disability, etc.), we will process that data as per Art 9 (2) e) and h) GDPR (depending on the type of data shared).

However, we highlight that we want to hire applicants based only on their qualification and therefore ask all candidates to refrain from disclosing this kind of information.

Finally, as a financial institution, for some particular roles, before signing the employment contract, Arcadia needs to check a criminal record certificate. The personal data included in the submitted criminal records will be processed by Arcadia in accordance with Article (1) c) GDPR and Article 10 GDPR, namely to comply with legal obligations deriving from the applicable local AFC/AML legislation, where relevant, or any other relevant legislation (e.g. labor law).

“Special categories of personal data” (United Kingdom (UK) and European Economic Area (EEA) countries) or “Sensitive personal data” in other countries

Within the broad range of information which can be personal data, information revealing the following characteristics are considered “Special categories of personal data” in the UK and EEA and are therefore subject to a greater degree of protection:

• physical or mental health;
• racial or ethnic origin;
• political opinions;
• trade union membership;
• religious or philosophical beliefs;
• sexuality or sexual life; and
• genetic and biometric data.

Outside of the UK and EEA, other types of sensitive personal data, in addition to the “Special categories of data” mentioned above, may include:

• social status;
• criminal history;
• membership of a professional or trade association;
• social security numbers;
• bank account information; and
• financial data.

Personal data we process

• Personal data you give us

You may give us personal data about you by filling in forms online, corresponding with us by phone, email, in person, or otherwise, or through a recruitment agency or other third party.

• Personal data we collect from you

For the purposes and according to the legal provisions mentioned above, Arcadia processes your following personal data:

• first and surname;
• personal email address;
• home address;
• personal phone number;
• date of birth;
• gender;
• marital status;
• LinkedIn details/profile;
• cover letter(s);
• work experience;
• curriculum vitae (CV);
• copies of your passport, driving license and similar documents;
• education history (including copies of relevant degrees, diplomas or certificates if required), training and professional experience;
• current and past employment details;
• immigration status and work permits;
• languages spoken and level of proficiency;
• psychometric test results;
• information required to prepare the employment contract;
• your Image or a recording of you;
• references;
• criminal record;
• interview notes and recordings;
• diversity information (such as information about your race or ethnicity);
• information about your health, such as any disability you might have; and,
• any other information provided in any interview or test held or documentation submitted, such as information contained in your CV.

As mentioned above, we may process data that was made publicly available by you on professional social networks such as LinkedIn. We only use that information for the evaluation of your application and on the legal basis of Art 6 para (1) b) GDPR as it is necessary in order to take steps prior to the decision to establish an employment relationship.

Personal data provided by third parties

We collect most of the personal data described in section "Data transmission and Recipients" from you directly.

However, we may also collect personal data about you from third parties, including:

• existing Arcadia employees who refer or nominate you for roles with us;
• governmental authorities (such as local tax authorities);
• your named referees who you’ve asked to provide us with references;
• where allowed by law, third-party background screening providers, credit reference agencies, fraudprevention agencies, sanction screening and criminal convictions screening agencies; and
• where allowed by law, other publicly available sources, such as social media networking sites (such as LinkedIn, Instagram and Twitter).

Data relating to criminal convictions and offences

Where required and allowed by law, we also collect and store personal data relating to criminal convictions and offences. In cases where we need to identify a lawful basis for such processing, then, depending on local laws, such processing is carried out with your consent, to comply with our legal obligations or on the basis of our legitimate interests (to ensure we hire suitable candidates). This data is only processed where it is necessary for the purposes of:

• complying with or assisting other persons to comply with a regulatory requirement which involves Arcadia taking steps to establish whether you have committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct;
• preventing or detecting unlawful acts (including fraud);
• any legal proceedings (including prospective legal proceedings);
• obtaining legal advice; or
• establishing, exercising or defending legal rights.

Data transmission and Recipients

Where processing of personal data is carried out on behalf of Arcadia we conclude a separate contract with the processor. This contract ensures compliance with the GDPR and defines sufficient guarantees for the implementation of appropriate technical and organizational measures, which ensure the protection of your rights.

1. Arcadia Group Recipients

In order to support the application process your data required for that purpose is sent to the Arcadia People Team and to the specific team you applied for a position in.

Since we are a financial institution your personal data may also be shared with our regulatory teams.

If you applied for a position in Switzerland at Arcadia AG your personal data, once we have decided to provide you with an offer, will also be shared with the Works

Councils from these entities as per the applicable legislation.

2. External Recipients

Within the hiring process we use external providers with whom we have concluded separate agreements in accordance with the GDPR, as above mentioned.

For hiring purposes we may use the following providers:

Provider | Address | Processing activities carried out on behalf of Arcadia

Alphabet “Google” | | Management and Storage all job application data

Hostinger.com | | Provider User interface and application, all data will transit via their platform to Jotform and Google

Jotform.com | | Online application form

Transfers of personal data abroad

Insofar as Arcadia transmits data to entities located outside the EU/EEA and to ensure an appropriate level of data protection equivalent to that granted under the GDPR upon the international transfers of personal data, Arcadia has implemented one or more of the following transfer mechanisms, in addition to safeguards in accordance with the international data transfer impact assessment on the respective data transfer, if applicable:

• A decision of the European Commission deciding that the third country ensures an adequate level of protection, pursuant to Art. 45 (1) GDPR - the existing adequacy decisions can be found here. This includes the certification under the Data Privacy Framework Program developed by the U.S. Department of Commerce and the European Commission - self certified entities can be found here;
• Binding Corporate Rules (“BCRs”) approved as per Art. 47 GDPR, pursuant to Art. 46 (2) b) GDPR;
• Standard data protection clauses for the transfer of personal data to third countries (“SCCs”), as adopted by the European Commission, pursuant to Art. 46 (2) c) GDPR - the most recent version of the SCCs can be found here.

You can obtain a detailed copy of the transfer mechanism and more information in this regard by sending a request as indicated in section “Your rights” below.

Your rights

You have the following rights concerning your personal data:

• Right to revoke your consent according to Art. 7 (3) GDPR. Until the date of the withdrawal, data processing remains legally correct. It is hereby pointed out that in some cases, collection and storage of data regardless of consent may be required by applicable law. In such cases, we will discontinue any further processing and use of your personal data and delete or restrict them, insofar as we are not obligated under statutory provisions to continue to process or in particular to store them;
• Right of access according to Art. 15 GDPR, which means you can request information on whether your personal data is being processed by Arcadia and information on the particular processing of personal data, at any time, along with a copy of the information processed. In no case this right covers the access to documents or the obtention of copies of such documents. Also, we highlight that the right of access may not adversely affect the rights and freedoms of others;
• Right of rectification according to Art. 16 GDPR, which means you can request the rectification of your data when they are incomplete or inaccurate;
• Right to erasure according to Art. 17 GDPR, which means you can request the deletion of your personal data when they are no longer required by Arcadia for the purposes they were initially collected for, or when you understand they have been illicitly used. Arcadia can reject your request, if the data is necessary to comply with a legal obligation, for public interest reasons or for legal actions;
• Right to restriction of the processing according to Art. 18 GDPR, which means you can request the restriction of the processing of your personal data when it is legally permitted and, in particular, (i) while you challenge the accuracy of your data, (ii) when you request the restriction of your data because you believe the processing is unlawful, or (iii) when the data is no longer needed for the purposes for which it was collected but Arcadia needs them for legal actions;
• Right to object to the processing according to Art. 21 GDPR;
• Right to data portability according Art. 20 GDPR, which means you can request Arcadia to provide your personal data, in a structured, commonly used and machine-readable format and to transmit your data to another controller where the data processing is based on the consent, or on a contract and the processing is carried out by automated means.

Arcadia hereby points out that, if there are doubts about your identity when filing a request, additional documentation may be requested in order to authenticate you before responding to such request, because we do not want to disclose personal data to unauthorized persons.

Please direct all requests for information, queries or revocations regarding data processing via email to dataproctection@bankeaz.com. Notwithstanding the above provisions, you have the right under Art. 77 GDPR to complain to a supervisory authority, if you believe that the processing of your data was unlawful.

Arcadia has appointed a Data Protection Officer, who is accessible via dpo@bankeaz.com.

Retention periods

In case your application is rejected, we anonymize/delete all personal data after a period of 6 months, if you do not provide consent to further storage as mentioned under section "Processing purposes and legal bases". above. We are asking for your consent in the application flow to store your data in order to approach you for future possible positions that might be interesting for you. You can revoke your consent at any time in writing.

If provided, once the criminal record certificate has been checked, the data will be deleted and the original will be returned.

Complaints

Please direct any complaints about how Arcadia processes your personal data to our Data Protection Officer dpo@bankeaz.com.

You also have the right to complain to your local data protection authority:

• a list of European Union data protection authorities can be found here;
• the United Kingdom’s data protection authority’s contact details can be found here.

Changes

This declaration may be amended by Arcadia at any time. You can always find the latest version of this notice on ou website.

________________________________________________________________________________________