Privacy Notice for Job Applicants

CliniRx Research Private Limited together with its affiliates and subsidiaries (“CliniRx”, “we”, “us”, or “our”) is committed to protecting the privacy and security of your personal information during the recruitment process.

This privacy notice explains what personal data we collect about you, how and why we use it, how long we retain it, and with whom we may share it. It also outlines your rights under the applicable data protection laws, including the EU GDPR, the UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018. Please ensure that you read this privacy notice and any other similar notice we may provide to you when we collect or process personal information about you.

Data Controller and Contact Details

Unless otherwise stated, the data controllers for the purposes of this Privacy Notice are CliniRx Research Private Limited together with its affiliates and subsidiaries as listed in our Contact Us – Our Global Offices page on our Website . Depending on your interaction with us, these entities may act independently or jointly as data controllers.

You can contact the relevant CliniRx entity acting as data controller of your personal data through our Privacy Office at privacy@clinirx.com. We will ensure your query reaches the appropriate entity. You may also find direct contact details of all CliniRx entities in our list of office locations.

If applicable, you may also contact our Data Protection Officer (DPO) at: gdpr@clinirx.com.

In circumstances where CliniRx acts only on a third party’s instructions (i.e. acting as a data processor), that third party is the data controller of your personal data, and their privacy notice will apply to you instead of this one.

What Personal Data We Collect

We may collect and process the following categories of information during the recruitment process:

• Identification and contact details (e.g. name, address, telephone number, email)
• Date of birth and gender (as applicable)
• Employment and education history, qualifications, and other details from your CV or application
• Information shared via your LinkedIn profile (if referenced)
• Interview notes, assessment results, and communications with you
• Pre-employment checks, including references and right-to-work documentation
• Any other personal information you provide during the process

Special category data may be processed only where required by law or where you choose to disclose it, for example, health information relevant to making reasonable adjustments during the recruitment process. CliniRx does not ask for information such as ethnicity, union membership, or religious beliefs during recruitment. If such information becomes relevant after an offer of employment, it will be processed in accordance with applicable data protection laws and internal HR policies.

How We Obtain and Use Your Information

The personal information we hold about you is collected from a variety of sources, including:

• Your recruitment application and the supporting information you included with it (either directly or through a recruitment agency)
• Pre-employment checks, vetting and references from external parties
• Data generated during the recruitment process, including correspondence with you, interview notes, and assessment results

CliniRx and the companies that process recruitment related information on our behalf will use your personal information to:

• Evaluate your application and assess your suitability for the role
• Communicate with you throughout the recruitment process
• Determine whether to invite you for interview or make an offer of employment
• Carry out relevant pre-employment checks
• Maintain a record of the recruitment process and its outcomes, for audit or equal opportunity monitoring purposes

Your personal data will only be accessed by authorised personnel involved in the recruitment process (e.g. HR, hiring managers, interviewers) and only to the extent necessary for them to perform their role.

Where applicable, we may also share your information with third-party service providers involved in recruitment, such as agencies or assessment platforms, as described in the “Who We Share Your Data With” section.

Legal Bases for Processing

Under privacy and data protection legislation, CliniRx is only permitted to use your personal information where we have a valid legal reason, or ‘legal basis’, to do so. In the context of your recruitment application, the legal bases we rely on are:

• The performance of a contract, or to take steps at your request prior to entering into a contract, in this case an employment contract
• Compliance with our legal obligations, such as verifying your right to work
• Our legitimate interests in managing an effective recruitment process and in establishing, exercising, or defending legal claims

Where CliniRx processes special category data, we rely on one or more of the following legal bases:

• Your explicit consent where applicable
• The necessity for carrying out obligations and exercising specific rights in the field of employment law
• The necessity for the establishment, exercise or defence of legal claims
• The necessity to ensure equality of opportunity or treatment
• The necessity for the prevention and detection of crime or fraud

In addition, for recruitment in the UK, we rely on processing conditions at Schedule 1 part 1 paragraph 1 of the Data Protection Act (DPA) 2018, which permits the processing of special category data for employment purposes.

If You Do Not Provide Your Data

If you do not provide necessary personal data, we may be unable to process your application or comply with our legal obligations (e.g. verifying your right to work in the UK).

Change of Purpose

We will only use your personal information for the purposes for which it was collected, unless we reasonably consider that we need to use it for another purpose that is compatible with the original one.

If we need to use your personal data for an unrelated purpose, we will inform you and explain the legal basis that allows us to do so.

Please note that we may process your personal information without your knowledge or consent where this is required or permitted by law.

Who We Share Your Information With

CliniRx shares your data with third parties where necessary for recruitment purposes, for example, to obtain references from previous employers or conduct pre-employment checks. We also engage third-party service providers who support our recruitment and selection processes, such as recruitment agencies or application platforms.

These service providers process personal information on our behalf and under our instructions. They are required to implement appropriate technical and organisational measures to protect your data and are subject to strict confidentiality obligations.

If you applied for a role through a recruitment agency, please note that the agency may process some of your personal data independently of CliniRx and act as a separate data controller. For information about how your data is handled by the agency, including how it is collected and shared, you should refer to the privacy notice of the agency with which you have been in contact.

In exceptional cases, we may disclose applicant information to law enforcement agencies, where permitted by data protection law, for example, where it is necessary for the prevention or detection of crime or the apprehension or prosecution of offenders. Such disclosures are assessed on a case-by-case basis to ensure they are lawful and proportionate.

CliniRx may also disclose your personal information to third parties in the following situations:

• Where necessary to establish, exercise, or defend our legal rights (e.g. in the context of a legal claim or proceeding)
• In an emergency, where your health or personal safety is at serious risk
• Where we are otherwise legally required or permitted to do so

International Transfers

CliniRx and its service providers may process your personal information in countries both within and outside the United Kingdom (UK) and the European Economic Area (EEA), including countries such as India.

Whenever we transfer your personal data outside the UK or EEA, we ensure that appropriate safeguards are in place to protect it. These may include:

• Transfers to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government or the European Commission;
• Where personal data is transferred to countries without an adequacy decision, CliniRx may rely on appropriate safeguards, such as Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), to ensure that the data is protected to a level essentially equivalent to that in the UK and EU
• Where we use providers based in the United States, we may transfer data to them if they are certified under the Data Privacy Framework (DPF), or where other appropriate safeguards, such as Standard Contractual Clauses, are in place.

We regularly review these safeguards to ensure that your personal information remains protected in accordance with applicable data protection laws.

Automated Processing and Profiling

Under data protection legislation we have to let you know when we use your personal information to do something ‘automatically’ using our computers or other systems or use it to make an automated decision (without human intervention) that significantly affects you.

CliniRx does not make any recruitment related decisions based solely on the use of automated systems, databases or computer applications.

Access and Data Security

CliniRx takes the security of your personal data seriously and implements a range of measures to protect it throughout the recruitment process.

Your data is only accessible to authorised individuals involved in the recruitment process, such as HR staff, hiring managers, and others with a legitimate need to know. Access is role-based and strictly controlled.

Recruitment data is stored in secure systems protected by appropriate technical and organisational measures. These include but are not limited to: role-based access control, system auditing, anti-malware and antivirus protection, data encryption, firewalls, patch management, and secure network architecture with regular backups. These systems are designed to prevent loss, misuse, unauthorised access, or accidental destruction.

CliniRx also maintains internal policies and procedures, such as its Information Security Policy and Business Continuity and Disaster Recovery Plans, which support the ongoing protection and resilience of personal data.

Where CliniRx engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are bound by duties of confidentiality, and are required to implement appropriate technical and organisational measures to ensure the security of the data.

All personnel with access to personal data are required to complete regular data protection training and to handle information in accordance with applicable internal policies and their confidentiality obligations.

We also have procedures in place to detect, investigate, and respond to suspected data breaches. Where legally required, we will notify you and the relevant supervisory authority of any such incident.

How Long We Keep Your Information

If your application for employment is successful, CliniRx will use your personal information to manage and administer your employment relationship in accordance with our employee privacy notice.

If your application is unsuccessful, we will retain your personal information for 12 months from the date the relevant recruitment campaign is closed.

We retain this data for the following purposes:

• To respond to any correspondence, concerns, or complaints
• To maintain records in line with applicable legal or regulatory requirements (e.g. employment law)
• To establish, exercise, or defend any potential legal claims

After this period, your data will be securely deleted or anonymised, unless we are required to retain it for a longer period due to a legal obligation or ongoing dispute.

Your Rights

As a data subject, you have a number of rights under data protection law. You can:

• Access your personal data and receive a copy upon request
• Request correction of inaccurate or incomplete personal data
• Request erasure of your data where there is no valid reason for us to continue processing it
• Object to the processing of your data where we are relying on legitimate interests as the legal basis
• Request restriction of processing in certain circumstances (e.g. while a correction or objection is being reviewed)
• Request data portability, in some cases and where applicable, allowing you to obtain and reuse your data for your own purposes across different services

If you would like to exercise any of these rights, please contact the Data Protection Officer (see contact details below).

Where we rely on your consent to process your personal information for a specific purpose, you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of any processing carried out before your withdrawal. Once we receive your withdrawal request, we will stop processing your data for the relevant purpose.

Complaints

If you have concerns about how we process your personal data, we encourage you to contact us so we can try to resolve the issue directly. You can reach us using the contact details provided at the end of this Privacy Notice.

You also have the right to lodge a complaint with a data protection authority:

• If you are located in the United Kingdom, you can contact the Information Commissioner’s Office (ICO): https://ico.org.uk/make-a-complaint
• If you are located in the European Union, you can raise your concern with your local supervisory authority. A list of EU data protection authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

How to Contact Us

If you have any questions about this Privacy Notice, how we handle your personal data, or if you would like to exercise your data protection rights, you can contact us at:

CliniRx Research Private Limited

Patriot House, 4th Floor
3 Bahadur Shah Zafar Marg
New Delhi – 110002, India

Phone: +91 11 30179797

Email: info@clinirx.com or privacy@clinirx.com

Or if you wish to contact our Data Protection Officer (DPO), please email: gdpr@clinirx.com

Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, legal obligations, or other operational needs. Any updates will be posted on this page with a revised “Last Updated” date at the top.

We encourage you to review this Privacy Notice periodically to stay informed about how we protect your personal data.