Candidate Privacy Policy

1. Policy title: Candidate Privacy Policy

2. Version: 1.0

3. Effective date: 15 October 2025

4. Review date: Annually

5. Policy owner: Head of People & Culture

6. Policy sponsor: Intersect Executive Director

Updated on 15 October 2025

7. Overview

Intersect MBO (“Intersect,” “we,” “our,” or “us”) is committed to protecting the privacy of all applicants participating in Intersect’s recruitment process. This policy explains how we collect, use, share, and protect personal data submitted during the hiring process, in accordance with applicable global data protection laws, including the EU General Data Protection Regulation (GDPR), UK Data Protection Act, and similar international frameworks.

8. Data we collect

We collect and process information provided through the application form or associated materials, including:

• Contact details (e.g. name, email, country of residence)

• Professional experience, qualifications, and references

• Motivation statements or other supporting documents

• Video recordings which supplement your application

• Optional demographic or community-related information

• Communication records relating to your application

We may also create anonymised candidate summaries for community polling (Members and DReps). These summaries will not include personal identifiers such as full names, contact details, photos, gender, or specific location information.

9. Purpose and Legal Basis

We process your personal data for the following purposes:

• Assessing your suitability for the role for which you have applied

• Conducting fair and transparent recruitment involving Intersect Members, DReps, and the Board who often times will vote on the recruitment of a candidate, using the anonymised data we have referenced above.

• Managing communications throughout the selection process

• Meeting governance and accountability commitments

Our legal bases for processing personal data include:

• Legitimate interest (conducting recruitment activities)

• Pursuant to Consent (each applicant understands the manner in which their personal data will be processed and has consented to such processing. If however, you do not agree with us using your personal data in this manner, you must notify the HRBP you are working with and we will withdraw you from the recruitment process and remove your personal data as requested. This will prohibit you from making future applications, providing you understand that we will need to process your personal data as a part of the recruitment process.

10. Data Sharing

Your personal data will only be shared as required for this hiring process. This includes:

• With internal Intersect staff managing recruitment and the Board for offer selection

• In anonymized form for Member and DRep polling

• With third-party service providers (e.g. Typeform, secure document storage) acting under data processing agreements

We will never sell or commercialise your data.

11. International Transfers

As a global organisation, your data may be transferred outside your country of residence. Where such transfers occur, we implement appropriate safeguards, including standard contractual clauses, undertake due diligence on how personal data is handled and stored and work to ensure that there are at minimum equivalent protections available under applicable law.

12. Data Retention

Your data will be retained securely for up to 12 months after the recruitment process concludes, unless you provide consent for a longer retention period. After this time, data will be securely deleted in its entirety or anonymised so you are no longer identifiable from it.

13. Your Rights

Depending on your location, you may have the right to:

a. Access, correct, or delete your personal data

b. Restrict or object to the processing of your personal data

c. Withdraw consent at any time (without affecting prior lawful processing)

d. Lodge a complaint with your local data protection authority

In the instance you wish to enact any of 13a- c above, please send your requests to [email protected] and we will get back to you within thirty days of the date of your request, complying as far as is reasonably practical. You understand that depending on the nature of your request, we may may charge you a reasonable fee in order to comply with your request.

14. Data Security

Intersect employs appropriate technical and organisational measures to safeguard personal data against unauthorised access, disclosure, alteration, or destruction.

In the event there is a data breach, we will act to minimise any risk to you and notify you of said breach within twenty four business hours, if you are affected.

15. Updates to this Policy

We may update this policy periodically to reflect legal, operational, or organisational changes. The latest version is the one available on Intersect’s public Knowledge Base.

If you have any questions that are not answered in this policy about how your data is processed during the recruitment process, please contact [email protected].