Candidate Privacy Notice

1. Personal Data We Collect

We may collect personal data directly from you, as a job applicant, or may receive personal data from third parties, for example, in connection with a background, employment, or reference check, subject to your consent where required by law. We may collect, store, and process the following categories of personal data, some of which we require in connection with our recruiting activities: 

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses. 
• Work history and other relevant experience including information contained in a resume, CV, cover letter, or job application. 
• Education information including degrees awarded, transcripts, and other information provided in support of the job application. 
• Information collected during phone screenings and interviews. 
• Details regarding the type of employment sought, desired salary, willingness to relocate, job preferences, and other information related to compensation and benefits. 
• Reference information and information received from background checks, where applicable, including information provided by third parties. 
• Information related to previous applications to ISACA or previous employment history with ISACA. 

The personal data listed in this Privacy Notice is mandatory in connection with our recruiting activities. Failure to provide or allow us to process mandatory personal data may affect our ability to accomplish the purposes stated in this Privacy Notice.  

2. How We Use Your Personal Data

We process your personal data where applicable law permits or requires it in connection with carrying out our application and recruitment process, to take steps necessary to enter into an employment contract with you, where the processing is necessary to comply with a legal obligation that applies to us, for our legitimate interests or the legitimate interests of third parties, or with your consent if applicable law requires consent.  

We may process your personal data for the following purposes: 

3. How We Disclose Your Personal Data

We may disclose your personal information in the following situations were permitted or required by applicable law: 

• Affiliates. We disclose your information to other members of our group of companies for the purposes set out in this Privacy Notice and as necessary to administer the application and recruitment process. 
• Business Transactions. We may disclose your information with a potential buyer (and its agents and advisors) in connection with any proposed merger, acquisition, or any form of sale or transfer of some or all of our assets (including in the event of a reorganization, dissolution, or liquidation), in which case, personal information held by us about you will be among the assets transferred to the buyer or acquirer. 
• Service Providers. We share your information with our contractors, vendors, and service providers that assist us with administering the employment or working relationship with you and/or provide services to us or on our behalf. For example, service providers may include, but are not limited to, data storage or hosting providers and recruitment agencies.  
• Other Third Parties. We may disclose certain information with third parties who provide professional services (such as attorneys, auditors, accountants, and management consultants), professional bodies, and regulatory authorities in the normal course of business.  
• Legal or Regulatory Requests and Investigations. We may disclose your information to third parties under the following circumstances (i) to comply with relevant laws or regulations, to respond to a court order, administrative or judicial process, such as a subpoena, warrant, discovery request, court order, or government audit; (ii) in response to lawful requests by public authorities (such as national security or law enforcement); and (iii) as necessary to establish, investigate exercise or defend against potential, threatened or actual litigation (such as adverse parties in litigation). We may also need to share your information with tax authorities, courts, regulators, the police, and other governmental authorities where we are required or permitted to do so by law. 
• Protection of the Company or Others. We may share your information where necessary to protect the company, including to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our policies. 
• Disclosures with Your Consent. We may ask to share your information with other unaffiliated third parties who are not described elsewhere in this Privacy Notice. 

4. Your Rights 

Depending on the applicable law in your jurisdiction, you may have certain rights in relation to your personal data. Your rights may include: 

• Access and portability. You may ask us to confirm whether we are processing your personal data, provide you with details about such processing, and, in some limited circumstances, give you a copy of your personal data. You may ask us to provide your personal data in a structured, commonly used, machine-readable format, or you can ask to have it ported directly to another controller. 
• Erasure or deletion. You may ask us to delete the personal data that we hold about you. 
• Rectification or correction. You may ask us to correct any inaccurate or incomplete personal data that we hold about you. 
• Objection to processing. You may request that we stop processing your personal data for specific purposes including marketing and profiling. 
• Restriction of processing. You may request that we restrict the processing of your personal data in certain circumstances. 
• Withdraw Consent. Where our processing is based on your consent, you may have the right to withdraw your consent. 
• Lodge a complaint to your local Data Protection Authority. You may have the right to lodge a complaint with your national Data Protection Authority or equivalent regulatory body. 
• Automated decision-making. We do not employ solely automated decision-making, as a matter of course, that results in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you. If you are to be subjected to automated decision making, we will make it clear at the time and you have the right to contest the decision, to express your point of view, and to require a human review of the decision. 

These rights are not absolute and are subject to conditions or limitations as specified in applicable laws. If you would like to exercise any of the above rights, please access the Data Subjects Requests Page. We will process your request in accordance with applicable privacy and data protection laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request. 

5. How We Protect Your Personal Data

We have implemented appropriate physical, technical, and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure. While we attempt to protect your personal data in our possession, no method of transmission over the internet or security system is perfect, and we cannot promise that information about you will remain secure in all circumstances. 

6. Data Retention

Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, as required to satisfy any legal, accounting, or reporting requirements, or as necessary to resolve disputes. To determine the appropriate retention period for personal data, we consider our statutory obligations, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means. We specify the retention periods for your personal data in our data retention policy. 

If you are offered and accept employment with ISACA, the personal data we collected during the application and recruitment process will become part of your employment record, and we may use it in connection with your employment consistent with our employee personal data policies. If you do not become an employee, or, once you are no longer an employee of ISACA, we will retain and securely destroy your personal data in accordance with our document retention policy and applicable laws and regulations. 

7. International Transfers

Where permitted by applicable law, we may transfer the personal data we collect about you to the United States and other jurisdictions that may not be deemed to provide the same level of data protection as your home country for the purposes set out in this Privacy Notice. If you are located in the EU, we have implemented the European Commission’s Standard Contractual Clauses for transfers of your personal data to the United States and other jurisdictions.  

8. Changes to This Privacy Notice

We may need to update this Privacy Notice from time to time to reflect changes in our business practices, data collection practices or changes in the applicable law, and we will provide you with a new Privacy Notice when we make any updates.