PRIVACY NOTICE FOR NOVOCURE JOB APPLICANTS

What is this Privacy Notice about?

The Novocure group (also «we», «us») collects and processes personal data that concern you but also other individuals («third parties»). We use the word «data» here interchangeably with «personal data».

The «Novocure group» means the Novocure GmbH and its subsidiaries and group companies. A list of these subsidiaries and group companies can be found here https://www.novocure.com/our-global-community/.

«Personal data» means data relating to identified or identifiable individuals, which means that the relevant data, in combination with additional data, make it possible to draw conclusions about the identity of these individuals. «Sensitive personal data» is a subset of personal data that is specially protected under applicable data protection law. This includes, for example, health data, data revealing racial or ethnic origin, religious or philosophical beliefs, biometric data for identification purposes, and information relating to trade union membership. In Section 3, you will find information about the data we process in accordance with this Privacy Notice. «Processing» means any operation that is performed on personal data, such as collection, storage, use, alteration, disclosure and erasure.

In this Privacy Notice, we describe what we do with your data when you use our job application form on the website https://careers.novocure.com/ («recruitment portal») or otherwise interact with us in relation to a job opening posted on our recruitment portal, a job application or a potential employment contract. We further describe the processing of your data in your capacity as a current, former or future employee, trainee or secondee, director or executive, candidate, or external staff (i.e. workers who are not employed by the Novocure group but who work under our instructions and have access to our facilities and/or our corporate network, as well as to the personal data we entrust to them for the purpose of carrying out their mandate, including consultants, outsourced staff and agency temporary workers), whether temporary or permanent, full-time or part-time (also «employees», «you»).

If you use the services, websites and other offerings or resources of the Novocure group other than in your capacity as an employee, the other relevant notices apply. Our general website privacy notice is available here: https://www.novocure.com/novocure-website-privacy-notice/ and our privacy notice for Predictive Index is available here: https://careers.novocure.com/content/Privacy-notice-for-use-of-Predictive-Index/?locale=en_US. When appropriate we will provide a just-in-time notice to cover any additional processing activities not mentioned in this Privacy Notice.[GM1] 

This Privacy Notice applies to all employees of the Novocure group. If the individual Novocure group company for which you work has its own local employee privacy notice, such notice shall apply in addition to this Privacy Notice (unless stated otherwise), but shall have precedence over this one.

If you disclose data to us or share data with us about other individuals such as family members, co-workers, supervisors, former employers, etc., we assume you are authorized to do so and that the relevant data is accurate. When you share data about others with us, you confirm that. Please make sure that these individuals have been informed about this Privacy Notice.

This Privacy Notice is aligned with the EU General Data Protection Regulation («GDPR»), the Swiss Data Protection Act («DPA») and revised Swiss Data Protection Act («revDPA»). However, the application of these laws depends on each individual case.

 

Who is the controller for processing your data?

The Novocure Inc., 195 Commerce Way Portsmouth, NH 03801, United States (the «company») is the main controller with respect to the collection and processing of your data on the recruitment portal and related systems insofar operated for the Novocure group.

The individual Novocure group company that advertises a particular job opening on the recruitment portal is a joint controller with regard to your data processed in relation with such job opening. Once a particular job application is received by or handed over to the individual Novocure group company for being processed for a particular job opening (in particular the one for which you apply), such Novocure group company becomes the sole controller of the further processing of your data with regard to such job opening.

The individual Novocure group company is the controller with respect to the collection and processing of your data in connection with that particular job opening (in particular the one for which you apply) for the purposes of conducting the recruitment process. You can contact this individual Novocure group company for data protection concerns and to exercise your rights under Section 10 using the contact details provided in the job advertisement.

The individual Novocure group company identified in your employment contract and with which you enter into (or have entered into) an employment relationship (or in the case of external staff: the Novocure group company under the instruction of which you are working for the Novocure group) is the controller with respect the the collection and processing of your data in connection with the employment (or contract work) relationship, unless certain information is shared with group functions that process it for their own purpose (for example group wide statistics), in which case those group functions act as separate controllers. If you have any questions or concerns in relation to data protection, you can contact your local HR manager or the Data Protection Officer of the Novocure group company for which you work (if any).

For each processing activity there are one or several parties that are responsible for ensuring that the processing complies with data protection law. This party is called the controller. It is responsible, for example, for responding to access requests (Section 10) or for ensuring that personal data is processed securely and not used in an unlawful manner.

Additional parties may be joint controllers for the processing set out in this Privacy Notice if they participate in determining the purpose or means of the processing. All group companies may act as joint controllers. If you want to receive information about the controllers for a specific processing activity, you are welcome to ask us as part of your access right (Section 10).

In Sections 3, 6 and 11, you will find additional information about third parties with whom we work together and who are controllers for their processing. If you have any questions for these third parties or if you want to exercise your rights, please contact them directly.

If you have any questions or concerns in relation to data protection at a group level, your point of contact is as follows:

                 Novocure GmbH
                 Park 6
                 CH-6039 Root D4
                 
dataprotection@novocure.com

We have appointed the following additional positions:

Data Protection Officer according to articles 37 et seq. GDPR:

Novocure GmbH
Data Protection Officer
Park 6
CH-6039 Root D4
:dataprotection@novocure.com

Data Protection Representative in the EU according to article 27 GDPR:

Novocure GmbH
Elektrastr. 6
81925 Munich, Germany

dataprotection@novocure.com

You can also contact these parties for privacy concerns.

 

What data do we process?

We process various categories of data about you, including current but also previous versions where information changes over time. The main categories of data are the following:

Technical data: When you use our recruitment portal, we collect the IP address of your terminal device and other technical data in order to ensure the functionality and security of these offerings. As an employee, when you use our corporate network, IT systems, internal platforms, applications and tools (for example the intranet, the Novocure group supports systems, ERP systems, business applications, mobile devices and other collaboration and communication tools) or other infrastructure (for example building or property access systems), we collect data about the access credentials presented by you, your logins, accesses, entries and exits, your usage of our applications, systems and other infrastructure and devices, as well as data about the devices, equipment and other tools you may be using in order to ensure the functionality and security of these services, systems and other infrastructure. Where it is necessary to have an audit trail or statistical purposes, we will also log this data. We generally keep technical data for up to [6] months. In order to ensure the functionality of these offerings, we may also assign an individual code to you or your terminal device (for example as a cookie, see Section 11). Such technical data may be linked or matched with other categories of data (and potentially with your person) in relation to user accounts, registrations, access controls or pre-contractual steps in the context of an employment contract (for example the submission of your job application).

Technical data includes information about the device you are using (operating system, unique identifiers, applications, browsers), data used for authenticating you as an authorized user (user names, passwords) but also certain actions (your logins, use of certain applications and features, files you access, calls made or received, Internet pages you call up, e-mails you send or receive). Some applications (for example accounting systems) track every piece of data you enter, change or delete to provide for an audit trail. This information will usually be linked to you, because we normally only allow usage of our systems to authenticated users, which is also why you should not share your credentials with others. We do not record keystrokes or similar information. We try to limit the audit trails to what is necessary for the operation and security of our information technology systems and applications, and other permitted purposes. It is possible, though, that in the case of an investigation or due to legal obligations, subject to applicable law, we may collect additional technical data we would otherwise not collect.

Registration and account data: Certain offerings on our recruitment portal can only be used with a user account or registration, which can happen directly with us or through our third-party login service providers. In this regard, you must provide us with certain data, and we collect data about the use of the offering or service. We may also collect and store data about you to enable you to login to our systems, access our buildings, identify and authenticate yourself vis-à-vis third parties and have your "personal" space within our computer systems (for example your mailbox). Account data will typically include your name, potentially contact and organizational information, access rights and, in connection with access control systems, eventually also biometric data. We generally keep this information between [3] to [12] months from the date the use of the service ceases or the user account is closed. This period may be longer where required for evidentiary purposes, to comply with legal or contractual requirements, if you instruct us to keep the account active for a longer period, or for technical reasons. Note that your account data may be logged in the form of technical data (see above) and may contain preference data (see below). The content of your mailbox typically qualifies as communication data (see below), and business related content of personal space will typically be work result data (see below).

Account data comprises data such as user names, passwords, phone numbers for multi-factor-authentication, access rights and privileges, the information on access badges and company IDs, biometric information for access controls. Depending on the technology used, biometric information could, for example, be a photograph and other characteristics of parts of your body (for example fingerprints), which are usually stored in a coded manner (i.e. not a «picture» of your fingerprint, but rather the aspects of your fingerprint that make it unique). We will either collect this information from you directly, or create it based on information you have provided us. With regard to computer and network accounts and access control authorizations, the data will be replicated within the relevant systems. Depending on the type of access control, we may create access badges or photo and other ID cards with account data. If third parties (for example clients, business partners, service providers, etc.) need to identify or authenticate you for work purposes, we may also share such data with them. With regard to our computer systems, your account will also serve as a container for storing personal files, preference data, communication data and other information that is of personal or potentially even private nature (for example, if you store a private document in your «personal» folder on the corporate network). Also, all the documents you put on your computer «desktop» will be stored within your account.

Communication data: When you are in contact via the contact or application form, by e-mail or telephone, by letter or other means of communication, in your own capacity (as opposed to acting for us), we collect the data exchanged between you and us, including your contact details and the metadata of the communication. Communications that is relevant for our employment or working relationship with you may be retained for the period of such relationship (for example as part of the HR file). E-mails in personal mailboxes and written correspondence are generally kept for at least [10] years. For job applications you send to us by courier, the retention period specified in qualification data apply (see below). The retention period may even be longer where required for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. As an employee, communication data also includes your entire communications for work purposes (for example the e-mails you have sent or received). When you are in contact with other Novocure group employees, our support functions (such as HR and IT support) or third parties (for example customers, suppliers, business partners, etc.) through group chat or messaging applications, your professional e-mail address, telephone number or other company communication means, we assume that these communications are work-related and we collect the data exchanged via this means, including the metadata of the communication. If you happen to use company communication means for private communications, we will also inevitably collect those private communications.

Communication data is your name and contact details, the means, place and time of the communication and usually also its contents (i.e. the contents of e-mails, letters, internal chats, etc.). This data may also include information about third parties (for example customers, suppliers, business partners and family members). Communication data may also end up as technical data or account data.

Qualification data: When you apply for a position with us, we collect and process the data that you submit to us in your application materials along with your job application, for example, your name and contact details, information about your academic background, qualifications, and professional experience. We generally collect this data directly from you in your application materials, such as your curriculum vitae, cover letter, diplomas, certificates, academic transcript of records and recommendation letters. Depending on the type of position advertised, we may also receive this data from recruitment and placement agencies that you have provided to them in the context of a job search. As a candidate, if your application is successful and you accept an offer of employment or work from us, the data that we have collected from you during the pre-employment period will become part of your personnel file with us, respectively will be added to your personnel file (if your are already employed with the Novocure group and apply for an internal position), and will be kept for the duration of the employment relationship. This period may be longer where required for evidentiary purposes, to comply with contractual or legal requirements (including local applicable laws), or for technical reasons. As a candidate, if your application (sent by courier or via the form on the recruitment portal) is unsuccessful, we generally keep this data for [3] months from the date of notification of the rejection decision, except in the event of an internal application, where the data is already known to us and will be kept for the duration of the employment. This deadline does not apply to applications sent by email, which are kep in accordance with the retention period applicable to communication data (see above). This period may be longer in certain circumstances, for example if you have consented to a longer retention period so that we can inform you of future employment opportunities with us. In that case, we will generally keep the data for [1] year from the notification of the rejection decision, and for a maximum of [2] years if you agree to an extension period.

Qualification data includes data such as name, mailing address, e-mail address, telephone number and other contact details, photograph, gender, date of birth, nationality, passport number, immigration status, marital status, number of children, name of relatives working in the Novocure group, salary requirements, function, membership in professional associations, military status; moreover, information on your academic background, diplomas, certificates, academic transcript of records, technical skills, language skills, employment history (including job titles, salary and working hours), reference information from third parties (to the extent permitted), and extracurricular activities.

During the screening process, depending on the type of position, we may ask you to provide us with additional information for compliance purposes, such as a work permit, a clean criminal record, an extract from the debt collection register, a driving license and a medical certificate confirming your ability to work. The medical certificate is sensitive personal data, for which we will ask you for separate consent to obtain it. The criminal record may be only processed insofar as local law permits us to do so.

Further, depending on the type of position, we may also require that you undergo a medical examination to assess the suitability for the position in question.

Candidate assessment data: During the recruitment process, we collect data that serves to determine your suitability for the employment position, in addition to qualification data, publicly available and reference data. Depending on the type of position you apply for, we may ask you to take a behaviour-based personality test, provided by our partner Predictive Index, 101 Station Drive, Westwood, MA 02090, United States («PI»). During the PI behavioural assessment, you will be presented two list of adjectives. In the first list, you will be asked to select the words that describe the way others expects you to act. In the second list, you will be ask to select the words that describe you in your opinion. We will collect and process your responses to this PI behavioral assessment. We generally keep this data for [3] months from the end of the relevant recruitment process. You can find more information about Predictive Index in our separate privacy notice for Predictive Index, available here [link to the Privacy Notice for Predictive Index]. If you are already employed by us and apply for another internal position, we may also use information from your personnel file to supplement the information you provide to us with your application in order to assess your suitability for the new internal position. We also collect and process data that is not provided directly by you, but which is used to determine your suitability for the position you are applying for (at the recruitment stage) or occupying (once employed), such as, at the recruitment stage, the notes we take during and after our interviews with you, our internal exchanges and discussions about your suitability for the position, and once your are employed by us, the internal evaluations and reports about you that serve to determine or confirm, on an ongoing basis, your suitability for the position you hold. we generally keep this data for [3] months from the date of notification of the rejection decision, except in the event of an internal application, where the data is already known to us and will be kept for the duration of the employment.

Candidate assessment data includes as an applicant, information on the personal impressions you made during your interviews with your interlocutors (for example personality traits, engagement in the discussion), your ability to communicate and express yourself, your ability to react to fictitious situations and propose creative solutions, as well as information on your analytical and writing skills. Insofar as you take the PI assessment, it also includes the adjectives you have chosen

As an employee, qualification data further includes internal evaluations and reports about you that purport to determine or confirm, on an ongoing basis, your suitability for the position you hold.

Publicly available data: We may collect certain personal data about you online to the extent that you have made this information publicly available and it is relevant for the job opening at issue or otherwise your assessment as a professional. We generally obtain this information from public sources. For example, we may find your profile on professional social media websites (such as LinkedIn and Xing) and collect the information made available through this channel. We generally only view and access this data within the original public source (such as LinkedIn) and do not transfer or manage the data within Novocure systems. We only view and access this data for as long as you choose to make it public. (For example, when you delete information from Linkedin, Novocure can no longer view and access that data.)

Publicly available data includes data such as professional connections on a social media platform, activity on the platform (posts, comments, «likes»), photographs, videos (for example attended or organized webinars, conferences), skills, endorsements, licenses, certifications, publications, and interests (pages, companies and people «followed» on the platform).

Reference data: If, in your application, you mentioned persons with whom or for whom you have worked in the past, such as former supervisors, co-workers, clients, we can contact them by e-mail, telephone, letter or other means of communication, or meet with them in person, in order to obtain references about you. We will only contact these persons if you have specifically provided us with their names and contacts details for the purpose of your application. Again, we assume you are authorized to do so and that the relevant data you have provided us is accurate. If you are already employed by us and apply for another internal position, we may request references and internal assessments from your current supervisors and co-workers. We generally keep this data for [3] months from the end of the relevant recruitment process, except in the event of an internal application, where the data is already known to us and kept for the duration of the employment relationship.

Reference data includes data such as information about your relationship with the referral person, your personality, abilities, qualifications, contributions to the company, work ethics and job performance.

Financial data: In relation to the payment of your salary, company allowances and other benefits, we collect data about your salary, bank details, tax information and other information necessary for the administration of payroll, taxes and benefits. We generally keep this data for the duration of the employment relationship and for [10] years from the end of the employment relationship. Accounting and tax information will generally be kept for a shorter period of [10] years after the end of the civil year.

Financial data includes data such as your salary and related information (for example pay slips, social security contributions, family allowances, bonuses, shares in the Novocure group company, as well as information on your base salary and salary level), information on other benefits (for example travel services and subsidies and information on the deduction of whitholding taxes) and expenses (for example the use of business credit cards, expense reports and reimbursements, including those related to business trips). In the event that your salary is seized, the competent debt collection office will inform us. In this case, we will have to pay all or part of your salary to the debt collection office and we will also process the related information.

Performance and training data: We collect data related to your work performance, your disciplinary record, as well as your training history and developments needs. We generally keep this data for the duration of the employment relationship and for [10] years from the end of the employment relationship.

Performance data includes data on your performance at work (for example probation reviews, performance development reviews (PDRs), promotions, details of targets achieved, and client referrals and feedback during the employment or work relationship), involvement in job-related associations and organizations, whistleblowing concerns raised by you or to which you may be a party or a witness, disciplinary records (such as details of any disciplinary or grievance procedures in which you have been involved, including any warnings or penalties imposed on you and related correspondence), and details for amending or terminating the employment contract, including notice of termination of the employment or work contract.

Training data includes information about your training (for example participation in internal and external training in relation to your role) and development needs (for example enrollment in an advanced master degree, partipication in a secondment program, etc.).

Work result data: We collect data in relation to the work and content that you or others create for us or share with us during your employment contract and that relates to you or your role within the Novocure group acting for or on behalf of the Novocure group. The time we keep such work result data will depend on how long we need to keep such work results, given that they have been created or produced in the course of your work for the Novocure group, and any personal data processed is usually only of ancillary nature. With regard to your communications sent and received for work purposes, see communication data.

Work result data includes all content that you or others create or edit, or participate in creating or editing, for us or share with us during your employment contract that relates to you or your role within the Novocure group acting for or on behalf of the Novocure group (for example references to you contained in presentations, memorandums, minutes of meetings, reports, graphics, corporate publications, official filings, contracts, etc.), whether or not such content is protected under intellectual property laws. Many would not even consider such information as personal data, but because you may appear in such work results in an identifiable manner, we nevertheless list it here.

Administration data: At the beginning of your employment with us and during the performance of our employment relationship with you, we collect data about you that allows us to administer and manage our employment relationship with you, prepare our workplace facilities for you, and assign you to an organizational unit and team. We generally keep this data for the duration of the employment relationship.

Administration data includes data such as details of your job position and employment contract (for example position, title, function, organizational unit, start and end of contract, starting salary, number of vacation days, schedule, including night or weekend work, etc.), your work location (including home office information), your professional contact details (for example professional mailing address, e-mail address and telephone number), your photograph (for example for the intranet and our website), information about your team (such as your supervisors, direct reports, mentors, subordinates, and other team members) and your emergency contacts (for example your spouse, next of kin and children) and their contact details (such as their name, date of birth, address and telephone number).

Health and well-being data: We collect data on your general health, occupational health and job satisfaction, information on the leaves you have taken and the reasons for those leaves, as well as accident records. We generally keep this data for the duration of the employment relationship and for [5] years from the end of the employment relationship. This period may be longer where required for evidentiary purposes, to comply with contractual or legal requirements (including local applicable laws), or for technical reasons.dataprotection@novocure.com includes data such as details on your occupational health, periods of leave you have taken (for example holiday, sick leave, family leave, etc.) and the reasons for such leave, medical certificates, circumstances of an accident, special health needs related to the workplace and your job (for example the requirement for wheelchair access), as well as your general well-being and job satisfaction. This includes health data.

Behavioral and preference data: We collect the data in relation to your preferences in our IT systems, internal platforms, application and tools. Depending on our relationship with you, we try to get to know you better and to tailor our services and offers to you, for example on the recruitment portal. For this purpose we collect and process data about your behavior and preferences. Based on this data, we can for example determine the likelihood that you will be interested in certain job openings. The data processed for this purpose is already known to us (for example where and when you apply for job openings), or we collect it by recording your behavior (for example how you navigate our recruitment portal). We anonymize or delete this data when it is no longer relevant for the purposes pursued, which may be depending on the nature of the data between [2-3] weeks and [24] months (for job preferences). This period may be longer for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. We describe how tracking works on our recruitment portal in Section 11.

Behavioral data is information about certain actions, such as your response to electronic communications (for example if and when you have opened an e-mail) or your location, as well as your interaction with our social media profiles.

Preference data tells us what your needs are, which services or job openings might be of interest to you or when and how you will likely respond to messages from us. We obtain this information from the analysis of existing data, such as behavioral data, so that we can get to know you better, tailor our offers more precisely to you and generally improve our offers. To improve the quality of our analyses, we may combine this data with other data that we also obtain from third parties, such as publicly available sources such as the Internet, for example with information about your professional qualifications, publications and anonymous information from statistical offices. Preference data also tells us your communication preference in relation to the use of our IT systems, internal platforms, application and tools (for example languages settings or your automatic e-mail signature).

Behavioral and preference data may also be combined with other data (for example, motion data may be used for contact tracing as part of a health protection concept).

Other data: We also collect data from you in other situations. For example, data that may relate to you (such as files, evidence, etc.) is processed in relation to administrative or judicial proceedings. We may also collect data for health protection (for example as part of health protection concepts). We may obtain or create photos, videos and sound recordings in which you may be identifiable (for example, at a company event, with security cameras, etc.). We may also collect data about who enters our premises, offices and other workplace facilities, and when, or who has access rights (including in relation to access controls, based on registration and account data or lists of visitors, etc.), and who uses our infrastructure and when. The retention period for this data depends on the purpose and is limited to what is necessary. This ranges from a few days for most security cameras, to usually a few weeks in case of visitor data that is usually kept for [3] months, to several years or longer for reports about company events with images.

Much of the data set out in this Section 3 is provided to us by you (through your application forms, application documents, when you communicate with us in the context of the recruitment portal, in the contexnt of the performance of the employment contract, in relation to the payment of your salary, etc.). You are not obliged or required to disclose data to us except in individual cases (legal obligations). If you want to enter into an employment relationship with us or use our services (in particular on the recruitment portal), you must also provide us with certain data, in particular qualification data, reference data and – as may be the case on the recruitment portal – registration and account data, in order to be able to submit your application and be eligible as a candidate for the advertised position. Application to certain positions may be available only through the recruitment portal. When using our recruitment portal, the processing of technical data cannot be avoided. Depending on the job position at issue, we will also insist on collecting publicly available data, reference data and candidate assessment data if you want us to proceed with your job application. If your application is successful and you want to enter into an employment relationship with us and use our IT systems and internal platforms, you must also provide us with certain data, in particular technical data, account data, administration data and financial data in order to enable us to manage the employment relationship with you and provide you with access to our buildings, facilities and IT systems.

We provide certain services to you only if you provide us with registration and account data, because we or our contractual partners want to know who uses our services, including our recruitment portal, because it is a technical requirement or because we want to communicate with you. We can only consider your application if you provide us with the requested qualification data. If you do not provide us with the data necessary for the position you apply for, this may result in our inability to consider your candidacy. In this case, however, before rejecting your candidacy, we will give you the opportunity to provide us with the missing information or documents within a set period of time. Further, during the process of assessing you as a candidate for a particular position, we will depending on the position also have to assess your suitability for the position by collecting publicly available data (e.g., to verify your statements made and understand your qualifications), reference data or have you undergo a further assessment resulting in the collection of qualification data and other data. Similarly, we can only submit a response to a request from you if we process communication data and – if you communicate with us online – possibly also technical data. Also, the use of our corporate network and IT systems is not possible without us receiving technical data.

Once you are employed with us, you will only be able to use our IT systems, internal platforms, applications and tools and, depending on the situation, access our buildings or use our infrastructure if you provide us with certain account data. Further, in order to perform our employment relationship with you, we will need to collect administration data and performance and training data in order to maintain your personnel file with use. We will also collect financial data in order to pay your salary, company allowances and other benefits, health and well-being data to keep track of your leaves and assess your general well-being and job satisfaction, work result data for the content you have created for us or shared with us, as well as preference data in relation to the use of our IT systems.

As far as it is not unlawful we also collect data from public sources (for example the internet, including professional social media websites, etc.) or receive data from other companies within the Novocure group, and from other third parties (such as credit agencies, background check agencies, internet analytics services, etc.).

The categories of personal data that we receive about you from third parties include, in particular, information that we receive in relation to administrative and legal proceedings, information regarding the validation of the information you have provided us in your qualification data (for example university degrees, former employments), other background check information (for example your debt collection status or sanctions listing status, where relevant), what you have been posting on the internet or what other people did (for example, appraisals of you on your professional social media profile), information from other contractual partners of us about your use of our services (for example job applications submitted on the job portal, and other socio-demographic data (especially for research purposes).

 

For what purposes do we process your data?

We process your data for the purposes explained below. Further information is set out in Section 11 for online services. These purposes and their objectives represent interests of us and potentially of third parties. You can find further information on the legal basis of our processing in Section 5.

We process your data for purposes related to communication with you, in particular in relation to responding to inquiries, your employment and with the exercise of your rights (Section 10) and to enable us to contact you in case of queries. For this purpose, we mainly use communication data and registration dat in relation to our recruitment portal. We keep this data to document our communication with you, for quality assurance and for follow-up inquiries.

The above includes all purposes in relation to which we communicate with you, whether in the context of your application, authentification for the purposes of the recruitment portal, our employment relationship, as well as post-employment relationship with us, or for quality assurance. We further process communication data to enable us to communicate with you by e-mail and telephone, as well as other means of communication. Communication with you usually takes place in relation to other processing purposes, for example, at the recruitment stage, to enable us to arrange an interview with you, to inform you of the outcome of your application, to contact you should another potentially suitable vacancy with the Novocure group arise, to deal with any query, challenge or request for feedback received in relation to our recruitment decision; moreover, as an employee, communications exchanged during the employment or work contract for the purposes of performing such contract (including all internal correspondence with Novocure group employees and supports functions, as well as external correspondence with customers, suppliers, business partners, etc.) or in relation to post-employment communications (for example to give references about you to prospectives employers, in relation to post-employment litigation proceedings, etc.), as well as communications in relation to responding to the exercise of your rights as a data subject. Our processing also serves to document the communication and its contents.

We process your data in order to determine whether you are a suitable candidate for the position you have applied for and to decide whether we would like to enter into an employment relationship with you. For this purpose, we mostly use qualification data, publicly available data, reference data, candidate assessment data, and qualification data. We process this data to progress your application through the different recruitment stages, to verify the qualifications information you have provided, to document our recruitment process and maintain employment records, as well as to document our decision-making process and make an informed recruitment decision.

The above include all purposes in relation to the pre-contractual steps necessary for the purposes of entering into an employment contract with you, such as informing the competent persons at the individual Novocure group company of your application (for example the hiring manager, hiring team members, the employees of the HR department, etc.), making an informed decision to shortlist you for an interview, arranging interviews with you, obtaining relevant references about you, verifying the qualifications information you have provided, and preparing your employment where you receive and accept an offer of employment with us.

Most of the data we process is directly obtain from you in your application documents. Certain data, however, is obtain from third parties (for example, referees, supervisors, co-workers) or from public sources (for example, professional social media networks, such as LinkedIn and Xing). Again, we process this data to assess your suitability for the position you have applied for.

We further process your data for market research, to improve our services on the recruitment portal, for developing our hiring processes and internal statistical purposes.

We strive to continuously improve our services on the recruitment portal and to respond quickly to changing needs. We therefore analyze, for example, how you navigate through our recruitment portal and how new layouts of such recruitment portal might look (for further details, see Section 11). This helps us understand the market acceptance of existing services and the market potential of new services on the recruitment portal. To this end, we process in particular behavioral data and preference data, but also communication data and other information, for example from social media, the Internet and other public sources. We also want to understand the employment market and we want to improve the way how we identify and employ new workers. This may require us to use qualification data, publicly available data and candidate assessment data to analyze it and create statistics. We use pseudonymized or anonymized data for these purposes, to the extent possible.

If your application is successful, we process your data for the purpose of concluding, executing and managing our employment relationship with you, and for the purpose of terminating our employment relationship and managing our post-employment relationship with you. For these purposes, we process in particular qualification data, administration data, financial data and performance, health and well-being data and training data.

We process your data for the purpose of managing our employment relationship with you, such as preparing, negotiating and concluding your employment contract and its subsequent amendments, completing onboarding formalities and processes, managing your personnel file with us (including information about your employment, working hours, bank details, salary, benefits, expenses, insurance details and work commitment and performance), managing your absences and vacations (including handling accident and illness reports, as well as compensatory leave for overtime hours worked), facilitating a return to work and determining your fitness for work, providing and administering salaries, benefits, pensions and incentive schemes (including bonuses and shares in the Novocure group), managing expenses (for example maintaining expense accounts, determining and paying expense allowances), issuing instructions and guidelines, communicating with insurance companies (for example social security institutions and pension funds) and reporting to government agencies (for example tax authorities and debt collection agencies), preparing interim and final work certificates, preparing, negotiating and terminating your employment contract, completing offboarding formalities and processes and, once the employment contract is terminated, providing reference information to prospective employers where you name us as a referee. This may include health data.

We process your data for professional development and training purposes. For these purposes, we mainly process qualification data, administration data and performance and training data.

We process your data for the purpose of assessing your training and development needs for your role and professional development, offering internal or external training and further professional development programs, and supporting you in your internal career planning.

We also process your data for the provision and operation of IT systems, internal platforms, applications and work tools and resources.

This includes, in particular, the provision and operation of our IT systems, internal platforms, applications and work tools (including software, collaboration and communication tools) and the provision and billing of communication services (including professional cell phone, e-mail address and other communication tools). It also includes making available for you other resources such as cars, work devices and third party services you need for your work. For these purposes, we mainly use technical data, account data, communication data, and information in connection with the use of your professional e-mail address and telephone number.

We process your data for the creation, use and exploitation of work results.

This includes, in particular, the internal and external use and exploitation of the results of your own work and the work of others, including the content that you and others create or edit, or participate in creating or editing, for us or share with us in the course of working for us (for example presentations, memorandums, minutes of meetings, reports, drawings, graphics, sketches, corporate publications, official filings, contracts, etc.), whether or not such work results are protected under intellectual property laws. To this end, we mainly use work result data.

We process your data for work planning and scheduling and in relation to the execution of work assignments or company events.

We process your data for the purpose of planning and scheduling the execution of tasks, projects and assignments internally and externally with other third parties (for example customers, suppliers, business partners, etc.) and executing those tasks, organizing customer visits, organizing business travels, planning and organizing transfers and postings within the Novocure group, or company events. In this regard, we use, in particular, qualification data, administration data, health and well-being data, as well as performance and training data. This may include health data.

We process your data for health prevention.

We process your data for the purpose of planning, implementing and monitoring health protection concepts against diseases and epidemics. For this purpose, we mainly process health and well-being data. This may include health data.

We process your data for behavioral and performance evaluation.

We process your data for the purpose of assessing your performance at work (including your skills, qualifications, working hours and achievement of set goals), issuing probation reviews and performance development reviews (PDRs), maintaining disciplinary records (including details of any disciplinary or grievance procedures in which you have been involved, such as warnings or penalties imposed on you and related correspondence) and imposing disciplinary measures and verifying their compliance and effectiveness.

We process your data for the purpose of publishing and distributing internal and external communications.

The above includes, in particular, the creation, publication and distribution of internal and external communications on the internet, intranet, employee directories, internal platforms and other internal collaboration and communications tools. We mainly use qualification data, performance and training data, health and well-being data, employee content data and «other data». This may include health data.

We process your data for team and organizational development.

The above includes all purposes in relation to the planning and organization of the team and organization unit assigned to you, such as taking measures in relation to its organization or reorganization (including organization and coordination regarding the workplace, team members, etc.) and planning its development.

We process your data for the purpose of security, access control and system use.

We continuously review and improve the appropriate security of our IT systems and other infrastructure (for example buildings) and resources (for example vehicles). Like all companies, we cannot exclude security breaches with certainty but we do our best to reduce the risks. We therefore process data, for example, for monitoring, inspecting, analyzing and testing our corporate networks and IT infrastructures, for system and error checks, for documentation purposes and as part of backups. Access controls include controlling access to our IT systems (for example logging into our IT systems with your employee user account), as well as physical access control (for example access and exit controls of our buildings, premises and facilities). For security purposes, we also keep access protocols and visitor lists and use surveillance systems (for example recording by security cameras). We will inform you about surveillance systems at the relevant locations through appropriate signage. Systems use includes measuring the performance of our IT systems by analysing employee usage of our Novocure group systems (including analysing times, locations and activities whilst users are logged into the corporate network). For these purposes, we mainly process technical data, account data and «other data».

We process personal data to comply with laws, directives and recommendations from authorities and internal regulations («Compliance»).

This includes implementing security concepts to prevent fraud and other criminal offences. We may also be required to make certain clarifications about you, to report to authorities or monitor diversity requirements in certain cases. Disclosure, information or reporting obligations, for example, in connection with supervisory authorities and archiving obligations and the prevention, detection and investigation of criminal offenses and other violations. This includes receiving and processing complaints and other reports, monitoring communications, disclosing documents to an authority if we have sufficient reason or are legally obliged to do so. For these purposes we mainly process qualification data, administration data, performance and training data, financial data, employee content data, but also, under certain circumstances, data from the category of «other data». The legal obligations may arise under European, English and Swiss law or other regulations that apply to us, as well as self-regulations, industry standards, our own «corporate governance» and instructions and requests from authorities.

We also process data for the purposes of our risk management and as part of our corporate governance, including business organization and development.

For these purposes, we process in particular account data, qualification data, administration data, financial data, employee content data, health and well-being data, but also account data, technical data and communication data. For example, as part of our financial management, we need to monitor our accounts receivable and accounts payable, and we need to avoid becoming victims of crime and abuse, which may require us to analyze data for relevant patterns of such activities. In the context of planning our resources and organizing our operations, we may need to evaluate and process data relating to the use of IT systems and other infrastructure, workplace facilities and premises or share information about them with others (for example outsourcing partners), which may also include your data. The same applies with respect to services provided to us by third parties. As part of our business development, we may sell businesses, parts of businesses or companies to others or acquire them from others or enter into partnerships, which may also result in the exchange and processing of data (including from you, for example as an employee or external staff).

We may process your data for further purposes, for example as part of our internal processes and administration.

These further purposes include, for example, protecting our rights (for example to enforce claims in or out of court, and before authorities in Switzerland and abroad, or to defend ourselves against claims, for example by preserving evidence, conducting legal assessments and participating in court or administrative proceedings) and evaluating and improving internal processes. This also includes safeguarding other legitimate interests that cannot be named exhaustively.

 

On what basis do we process your data?

Where we ask for your consent for certain processing activities (for example for processing sensitive personal data), we will inform you separately about the relevant processing purposes. You may withdraw your consent at any time with effect for the future by providing us written notice (by mail) or, unless otherwise noted or agreed, by e-mailing us; see our contact details in Section 2. For withdrawing consent for online tracking, see Section 11. Where you have a user account on our recruitment portal, you may also withdraw consent or also contact us through such recruitment portal. Once we have received notification of withdrawal of consent, we will no longer process your information for the purpose(s) you consented to, unless we have another legal basis to do so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent prior to withdrawal. If you withdraw consent for processing personal data we require for assessing or employing you for a particular position, we will no longer be able to continue with your application for such position.

Where we do not ask for consent for processing, the processing of your personal data relies on the basis of processing for initiating and/or performing an employment contract (or other contract under which you are working for us, for example as a contractor) with you or on our or a third-party legitimate interest in the particular processing operation, in particular in pursuing the purposes and objectives set out in Section 4 and in implementing related measures. This also includes compliance with legal regulations, where compliance is not recognized as a legal basis by applicable data protection law (for example in the case of the GDPR, the laws in the EEA and in the case of the Swiss DPA, Swiss law).

Where we receive sensitive personal data (for example health data, data about political opinions, religious or philosophical beliefs, data revealing racial or ethnic origin, and biometric data for identification purposes), we may process your data on other legal basis, for example, in the event of a dispute, as required in relation to a potential litigation or for the enforcement or defense of legal claims. In some cases, other legal basis may apply, which we will communicate to you separately as necessary.

 

With whom do we share your data?

In relation to our employment relationship with you or our potential employment relationship with you, our legal obligations, or otherwise in relation to the protection of our legitimate interests and the other purposes set out in Section 4, we may disclose your personal data to third parties, including the following categories of recipients:

Group companies: A list of our group companies can be found at https://www.novocure.com/our-global-community/. When you apply for a job opening with us on our recruitment portal, we share your application and, with it, your qualification data with the individual Novocure group company that posted the job opening in question on the recruitment portal, for the purposes of being processed by that group company for that particular job opening. That Novocure group company becomes the sole controller of the further processing of your data with regard to such job opening. Additionally, the individual Novocure group company to which you have applied may, with your consent, share your data with other Novocure group companies so that they may contact you about future job opportunities with them that may be of interest to you, with those Novocure group companies acting as sole controllers for such purposes. If you are an employee of a Novocure group company, this company may share your data with other Novocure group companies or group functions in order to be processed by them for their own purposes (for example group wide statistics, group wide computer and telephone directories), with those Novocure group companies or group functions acting as sole controllers for such purposes. Additionally, if you are already employed by a Novocure group company and are transferred or seconded to another Novocure group company, the former will share your data with the latter and the latter will become a separate controller for the purpose of performing your new employment relationship with it.

The group companies have access particularly to your qualification data, publicly available data, reference data, qualification data, account data, administration data, performance and training data, financial data and health and well-being data.

Service providers: We work with service providers in the EEA, the United Kingdom, Switzerland and abroad who process your data on our behalf or as joint controllers with us or who receive data about you from us as separate controllers (for example IT providers, talent acquisition service providers). This may include health data. For the service providers used for our recruitment portal, see Section 11. Our key service provider for talent acquisition is Predictive Index, 101 Station Drive, Westwood, MA 02090, United States.

In order to be able to reach out to and receive applications from new candidates, deliver our services (including our services on the recruitment portal) efficiently, to optimize our IT systems and internal applications and tools, and to focus on our core competencies, we procure services from third parties in various areas. These include IT services, talent acquisition services, communication services, HR services and payroll processing companies. We disclose the data that these providers require for their services, which may also concern you. These providers may also use such data for their own purposes, for example anonymized information to improve their services. In addition, we enter into contracts with these providers that include provisions to protect data, where such protection does not follow from the law.

Former and future employers, other organizations referred to in your curriculum vitae: We may also disclose your data to former employers when you apply for a job with us (for example, reference information) or to future employers when you apply for a new job. These former and future employers act as separate controllers. The same applies with other organizations we may contact for validating your qualification data.

We will particularly disclose data related to your reference data, your identity and, eventually, the information we want to have verified. However, we will only do so with your prior consent.

Authorities: We may disclose personal data to agencies, courts and other authorities in the EEA, the United Kingdom, Switzerland and abroad, if we are legally obliged or entitled to make such disclosures or if it appears necessary to protect our interests. This may include health data. These authorities act as separate controllers.

Examples are criminal investigations, police measures (for example health protection concepts), social security and regulatory requirements, judicial proceedings, reporting obligations and proceedings in and out of court as well as legal obligation to provide information and to cooperate.

Customers and business partners: We may disclose personal data to our customers, clients and other business partners in relation to the execution of contracts or assignments we have concluded with them. These customers and business partners typically receive your data as separate controllers and, in some instances, as joint controllers.

Examples are customers, clients, suppliers, sub-contractors and other business partners with which we have concluded a contract or an assignment (for example sharing your work results, your contact details and your curriculum vitae as part of a client assignment).

Other persons: This means other cases where interactions with third parties follows from the purposes set out in Section 4. Where these other persons determine the purposes and means of the processing and process your data for their own purposes, they act as separate controllers.

Other recipients are, for example, insurance companies (for example social security institutions and pension funds), other persons involved in administrative or legal proceedings, and the public (for example with respect to information contained on our website, in press releases and brochures).

All these categories of recipients may involve third parties, so that your data may also be disclosed to them. We can restrict the processing by certain third parties (for example IT providers), but not by others (for example public authorities).

 

Is your personal data disclosed abroad?

As explained in section 6, we disclose data to other parties. These are not all located in Switzerland. Your data may therefore be processed both in Europe and in the United States; in exceptional cases, in any country in the world.

If a recipient is located in a country without adequate statutory data protection, we require the recipient to undertake to comply with data protection (for this purpose, we use the European Commission’s current standard contractual clauses, which can be accessed here, here and here and revised standard contractual clauses, which can be accessed here) unless the recipient is subject to a legally accepted set of rules to ensure data protection and unless we cannot rely on an exemption. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or if the performance of a contract requires disclosure, if you have consented or if data has been made available generally by you and you have not objected against the processing.

Many countries outside of the EEA, the United Kingdom and Switzerland currently do not have laws that ensure an adequate level of data protection under the GDPR or the DPA. The contractual arrangements mentioned compensate for this weaker or missing legal protection to some extent. However, contractual precautions cannot eliminate all risks (namely of government access abroad). You should be aware of these remaining risks, even though they may be low in an individual case, and we take further measures (for example pseudonymization or anonymization) to minimize them.

Please note that data exchanged via the internet is often routed through third countries. Your data may therefore be sent abroad even if the sender and recipient are in the same country.

 

How long do we process your data?

We process your data for as long as our processing purposes, the legal retention periods and our legitimate interests in documentation and keeping evidence require it or storage is a technical requirement. You will find further information on the respective storage and processing periods for the individual data categories in Section 3 (for example, unsuccessfull job applications are usually returned after [3] months, unless we agree to keep them longer). If there are no contrary legal or contractual obligations, we will delete or anonymize your data once the storage or processing period has expired as part of our usual processes.

Documentation and evidence purposes include our interest in documenting the recruitment processes and our decision-making process in relation to the recruitment processes, as well as our interactions and other facts in view of legal claims, inconsistencies, IT and infrastructure security requirements and demonstrating good corporate governance and compliance. Retention may be a technical requirement if certain data cannot be separated from other data and we therefore need to keep it with it (for example in case of backups or document management systems).

 

How do we protect your data?

We take appropriate security measures in order to maintain the required security of your personal data and ensure its confidentiality, integrity and availability, and to protect it against unauthorized or unlawful processing and to mitigate the risk of loss, accidental alteration, unauthorized disclosure or access.

Technical and organizational security measures may include encryption and pseudonymization of data, logging, access restrictions, keeping backup copies, giving instructions to our employees, entering confidentiality agreements, and monitoring. Specifically, we take appropriate organizational measures to ensure that our employees have access to your data on a need-to-know basis, to extent necessary for the purposes described in this Privacy Notice and the activities of the employees concerned. This includes, in particular, the hiring manager and the hiring team members at the individual Novocure group company, the employees of the HR department and support areas, such as the administrative and IT departments. In relation to Predictive Index, your assessment results will only be reviewed by the employees of the HR department and the hiring manager. Our employees act in accordance with our instructions and are bound to confidentiality and discretion when processing your data.

We protect your data that is sent through our websites in transit by appropriate encryption. However, we can only secure areas in our control. We also require our data processors to take appropriate security measures by entering into the necessary data processing agreements with them. However, security risks can never be excluded completely, residual risks are unavoidable.

 

What are your rights?

Applicable data protection laws grant you the right to object to the processing of your data in some circumstances, in particular for processing activities on the basis of legitimate interest.

To help you control the processing of your personal data, you have the following rights in relation to our data processing, depending on the applicable data protection law:

  • The right to request information from us as to whether and what data we process from you;
  • The right to have us correct data if it is inaccurate;
  • The right to request erasure of data;
  • The right to request that we provide certain personal data in a commonly used electronic format or transfer it to another controller;
  • The right to withdraw consent, where our processing is based on your consent;
  • The right to receive, upon request, further information that is helpful for the exercise of these rights.

If you want to exercise the above-mentioned rights in relation to us (or with one of our group companies), please contact us in writing, at our premises or, unless otherwise specified or agreed, by e-mail; you will find our contact details in Section 2. In order for us to be able to prevent misuse, we need to identify you (for example by means of a copy of your ID card, unless identification is not possible otherwise).

You also have these rights in relation to other parties that cooperate with us as separate controllers – please contact them directly if you want to exercise your rights in relation to their processing. You will find information on our key service providers in Section 6.

Please note that conditions, exceptions or restrictions apply to these rights under applicable data protection law (for example to protect third parties or trade secrets). We will inform you accordingly where applicable.

In particular, we may need to continue to process and keep your personal data in order to enter into and perform an employment contract with you (in such case, your data will become part of your personnel file with us), to protect our own legitimate interests, such as the assertion, exercise or defense of legal claims, or to comply with legal obligations. To the extent legally permitted, in particular to protect the rights and freedoms of other data subjects and to safeguard legitimate interests, we may also reject a subject request in whole or in part (for example by redacting content that concerns third parties or our trade secrets).

If you do not agree with the way we handle your rights or with our data protection practices, please first contact your line manager and HR team members. You may also contact us or our Data Protection Officers (Section 2). If you are located in the EEA, in the United Kingdom or in Switzerland, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities in the EEA here: https://edpb.europa.eu/about-edpb/board/members_en. You can reach the UK supervisory authority here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.

 

Can we update this Privacy Notice?

This Privacy Notice is not part of a contract of employment with you. We can change this Privacy Notice at any time. The version published on the recruitment portal and intranet, respectively, is the current version. If we make significant changes to this Privacy Notice, we will inform you by notice on the Novocue group intranet or by email.

Last updated: 1 June, 2022