Candidate Privacy
INTRODUCTION
This Privacy Notice for the Bicycle Therapeutics group sets out the categories of your personal data we collect, how we collect it, what we use it for and with whom we share it, in accordance with applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 as it forms part of United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as subsequently amended (the UK GDPR) and the California Consumer Privacy Act, as amended (the “CCPA”).
By personal data we mean any information relating to you such as your name, contact details. Personal data does not include data which has been anonymised, such as data from equal opportunities monitoring carried out on an anonymised basis.
If your application is for a job based in the UK, BicycleTx Limited will be the data controller in respect of the processing of your personal data and in this Privacy Notice “Bicycle”, “we”, “us” or “our” refers to Bicycle Tx Limited.
If your application is for a job based in the US, Bicycle Therapeutics, Inc. will be the data controller in respect of the processing of your personal data and in this Privacy Notice “Bicycle”, “we”, “us” or “our” refers to Bicycle Therapeutics, Inc.
The data controller is responsible for deciding how personal data about you is used.
Should you have any questions about this Privacy Notice you can contact us using the details set out in the ‘Contact Us’ section below.
This Privacy Notice applies to personal data about you that we collect, use and otherwise process in connection with our recruitment, and if applicable, our offer and on-boarding processes. We do not require you to provide any special categories of personal data (as defined below), other than as set out below. We would recommend that you do not include any additional special categories of personal data in your application as it is unlikely to be relevant to the application process.
BICYCLE US’S REPRESENTATIVE IN THE UK
Bicycle Therapeutics, Inc’s UK representative under the UK GDPR is BicycleTX Limited. You can contact them by email and/or postal mail by using the contact details provided below.
HOW DO WE COLLECT INFORMATION ABOUT YOU AND WHAT DO WE USE IT FOR?
We set out below the types of personal data about you which we may collect or create at each stage of the recruitment process. In each case we have specified the purpose for which we use the relevant personal data and our ‘lawful basis’ for processing it. The law specifies certain ‘lawful bases’ for which we are allowed to use your personal data. Most commonly, we will rely on one or more of the following lawful bases for processing your personal data:
- where it is necessary for the performance of the contract;
- where it is necessary for compliance with a legal obligation to which we are subject; and/or
- where it is necessary for the purposes of the legitimate interests pursued by us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of our recruitment candidates, which require their protection.
Where relevant, we have considered whether the interests or fundamental rights and freedoms of our recruitment candidates override our legitimate interests and have formed the view that they do not. We will review this position where relevant.
Application and assessment process
In connection with assessing your application we process the following categories of personal data (see also the section entitled ‘Special categories of personal data’ below):
- Information we collect from you at the application stage
We collect the personal data that you provide to us in your CV and covering letter. It is for you to decide what you include in these documents. However, the kinds of information you may wish to include are: name, contact details, details of your qualifications and information about your employment experience.
- Information we collect from you in the course of interviews
If you are invited to undertake further assessments (such as an interview) in connection with your application and your participation in such assessments, we may collect further personal data that you provide to us as part of that process. The kinds of information you may disclose, include information about your qualifications and information about your employment experience. You may choose to disclose salary history or salary expectations.
- Information we collect from third parties at the application stage
At the start of the application stage, we may receive personal data from recruitment services providers such as recruitment agencies, headhunters and executive search providers who refer you to us. The kinds of information we receive may include information about your qualifications and information about your employment experience.
- Information we create ourselves
Throughout the recruitment process, we may create personal data in connection with the assessment of your application. For example, we may record the views of those considering your application about your suitability for the role for which you have applied and retain interview notes. We may contact the individuals whose names you provide to us and record their views on your previous performance and on your suitability for the role for which you have applied and retain notes of these conversations. We may also reach out to individuals in our network who may know you and record their views on your previous performance and your suitability for the role for which you have applied and retain notes of these conversations.
We may use your name and contact details to contact you in connection with your application, such as to invite you to undertake further assessments or to make you an offer of employment. We have a legitimate interest in facilitating the interview process and communicating offers of employment to you.
We may use the information we collect as part of the application and assessment process and the information that we create ourselves in connection with the assessment of your application for the purpose of assessing your suitability for the role for which you have applied. We have a legitimate interest in making informed recruitment decisions and selecting suitable candidates for roles with us.
If your application is successful
If your application is successful we will collect further personal data about you as set out below (see also the section entitled ‘Special categories of personal data’ below):
- Background checking
We will undertake background checks, for example: obtaining evidence of employment from previous employers, verifying academic records and, for UK employees, requesting a copy of your P45. We will use the personal data contained in such documents to verify the details provided by you in the recruitment process. We have a legitimate interest in maintaining standards of integrity and excellence in our workforce.
- Identification information
We will collect copies of identification documents from you (such as your passport or driving licence, proof of address, a copy of your work permit (where applicable), a photograph and a copy of your signature). We use this information to comply with immigration requirements and to verify your identity for our own internal security purposes. This personal data is required for us to comply with our legal obligations and for the performance of your employment contract with us.
SPECIAL CATEGORIES OF PERSONAL DATA
There are more limited bases for processing special category personal data. This is personal data which reveals or contains:
- racial or ethnic origin
- political opinions
- religious and philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- sex life or sexual orientation
We will process special category personal data because we have a lawful basis for doing so and because it is necessary:-
- for the purposes of carrying out our obligations and exercising specific rights in the field of employment and social security law (employment law obligations); and/or
- for building more inclusive and diverse teams; and/or
- for the assessment of the working capacity of a successful candidate.
However, we may also process special category data because: it is necessary in relation to legal claims; it is necessary for reasons of substantial public interest or, in limited circumstances, you have given explicit consent.
The special categories of data about you which we may collect, store and use are set out in the table below and in each case we have specified the purpose and our ‘lawful basis’ for processing it.
Category of special categories of personal data | Examples | Purpose | Lawful basis for processing |
Medical/health information as part of the application process. Data concerning health may include your body temperature, health symptoms and other screening information. | Information re any mental or physical impairment which may cause a disadvantage to you during the recruitment process. Health information in connection with the Company’s health and safety plans and protocols, including screening required to access Company offices/facilities and other measures designed to prevent the transmission of COVID-19 or other infectious diseases.
|
To enable us to make any appropriate reasonable adjustments | Compliance with a legal obligation/employment law obligations |
Immigration information (successful candidates only) | Passport, visa, work permit | To demonstrate right to work in the UK | Compliance with a legal obligation/employment law obligations |
Medical/health information (successful candidates only) | Pre-employment provision of medical information | To ascertain medical information that may be relevant to the role and/or the need for any reasonable adjustments | Necessary for performance of contract/compliance with a legal obligation & employment law obligations/assessment of working capacity |
WHAT IF YOU DO NOT PROVIDE THE PERSONAL DATA WE REQUEST?
If you do not provide us with certain information when requested, it may impact our ability to assess your suitability for a role with us or we may not be able to make you an offer of employment.
CHANGE OF PURPOSE
We will only use your personal data for the purposes for which we collected it (as identified above), unless we reasonably consider that we need to use it for another reason which is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case it is no longer considered personal data.
WITH WHOM WILL WE SHARE YOUR INFORMATION?
We may share your personal data with third parties where this is required by law, where it is necessary to perform our contract with you, or where we have another legitimate interest in doing so. We do not sell your data to third parties.
Other members of our corporate group
We are part of a group of companies (the “Bicycle Therapeutics Group”) that includes Bicycle Therapeutics Plc, BicycleTx Limited, BicycleRD Limited and Bicycle Therapeutics, Inc.
Certain functions of the Bicycle Therapeutics Group are centralised and conducted by members of the Bicycle Therapeutics Group other than us. We have a legitimate interest in benefiting from such centralisation and the services provided to us (as our data processor) by other members of the Bicycle Therapeutics Group. For example, other members of the Bicycle Therapeutics Group may assist in the recruitment process and may receive personal data in connection with such assistance.
We may also share your personal data with other entities in the Bicycle Therapeutics Group for the purpose of selecting candidates; for example, you may be interviewed by individuals from BicycleTx Limited and Bicycle Therapeutics, Inc.
Our service providers
We share personal data with Bicycle Therapeutics Group’s third-party service providers that perform services and functions at our direction and on our behalf. Our service providers are our IT service providers, our recruitment service providers and our lawyers. We rely on service providers in order to effectively operate our business.
Third party companies associated with a sale or acquisition of the business
In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets
If all or any of our group companies or substantially all of their assets are acquired by a third party, in which case personal data may be one of the transferred assets.
Other third parties
We may need to share your personal data with a regulator or to otherwise comply with applicable law or judicial process. We may disclose your personal data if we are required by law to do so or if we reasonably believe that disclosure is necessary to protect our rights and/or to comply with judicial or regulatory proceedings, a court order or another legal process. We may share your personal data where this is required by law, where it is necessary to perform our contract with you, or where we have another legitimate interest in doing so.
PROCESSING OF YOUR PERSONAL DATA OUTSIDE THE UK
Certain of the parties with whom we may share your personal data (see the section immediately above) may be located outside the UK – for example, but without limitation, this will be relevant in respect of the following:
- members of our corporate group (such as Bicycle Therapeutics, Inc.);
- our third-party service providers (e.g., our recruitment service providers and IT providers); and
- our lawyers and other advisers.
A number of the countries in which recipients of your personal data are based may be countries in respect of which there is not an adequacy decision issued by the UK Government under the UK GDPR – what this means is that the country to which we transfer your data has not been deemed to provide an adequate level of protection for your personal data for the purposes of the UK GDPR.
However, in these cases:
- we may use specific appropriate safeguards, which are designed to give personal data the same protection it has in the UK – for example, requiring the recipient of personal data to enter into the International Data Transfer Agreement issued by the UK Information Commissioner’s Office and/or the Standard Contractual Clauses issued by the European Commission; or using services providers that are Data Privacy Framework certified; or
- in very limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer personal data to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – for example, reliance on your explicit consent to that transfer.
If you want further information on the specific mechanism used by us when transferring your personal data out of the UK, please contact our Privacy Coordinator (privacy@bicycletx.com).
WHERE WE STORE YOUR PERSONAL DATA
The Bicycle Therapeutics Group has operations in the USA and in the UK. However, whenever it is being processed within the Bicycle Therapeutics Group, all personal data you provide to us will be stored on servers, which are provided and maintained by our processors, and which are located in the UK.
If members of the Bicycle Therapeutics Group located in the USA have access to information stored on servers in the UK, this will amount to a transfer of your personal data. However, as noted above, we have put in place Standard Contractual Clauses to ensure that appropriate safeguards are in place in respect of personal data that is transferred from members of the Bicycle Therapeutics Group in the UK to members of the Bicycle Therapeutics Group outside of the UK (such as Bicycle Therapeutics, Inc. who is located in the USA).
To establish additional practical safeguards for protection of your personal data, when transferring your information outside of the UK as part of the intragroup transfers described in this section, the transfer is made using an encrypted channel.
Once we have received your information, we will use appropriate technical and organizational measures to prevent unauthorised access, disclosure, loss or damage to your personal data.
HOW LONG WILL WE RETAIN YOUR INFORMATION?
We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements.
If you are successful in your application, we will retain the majority of the categories of personal data set out above for the duration of your working relationship with us and for a reasonable period of time after its termination as described in our employee privacy policy which will be made available to you once you become an employee. If you are unsuccessful in your application, we will retain the majority of the categories of personal data set out above for a reasonable period of time (no longer than twelve months) after the recruitment process has ended unless you have consented to us keeping it longer.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case it is no longer personal data.
Once we no longer require your personal data for the purposes for which it is processed, we will securely destroy your personal data in accordance with applicable laws and regulations and in accordance with our records retention policy.
ACCURACY OF INFORMATION
It is important that the personal data we hold about you is accurate and current. Please let us know if your personal data changes during the recruitment process.
AUTOMATED DECISIONS
The Company does not envisage that you will be subject to decisions that will have a significant impact on you based solely on automated decision-making. The Company will notify you in writing if this position changes.
YOUR RIGHTS IN RELATION TO YOUR INFORMATION
Where the processing of your personal data is subject to the UK GDPR, you have rights as an individual which you can exercise in relation to the information we hold about you under certain circumstances. These rights are to:
- request access to your personal data (commonly known as a “data subject access request”) and request certain information in relation to its processing;
- request rectification of your personal data;
- request the erasure of your personal data;
- request the restriction of processing of your personal data;
- object to the processing of your personal data; and
- request the transfer of your personal data to another party.
If you want to exercise one of these rights please contact using the contact details set out below.
You also have the right to make a complaint at any time to the UK data protection regulator, the UK Information Commissioner’s Office – whose contact information is below:
The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 303 123 1113
Website: https://ico.org.uk/make-a-complaint/
Where the processing of your personal data is subject to CCPA, you have the following rights:
- Right to Know. You have the right to request: (i) the categories or personal information we collected about you; (ii) the categories of sources from which the personal information is collected; (iii) our business or commercial purposes for collecting, selling, or sharing personal information; (iv) the categories of third parties to whom we have disclosed personal information; and (v) a copy of the specific pieces of personal information we have collected about you.
- Right to Delete. You have the right to request we delete personal information that we have collected from you.
- Right to Correct. You have the right to request that we correct inaccuracies in the personal information we maintain about you.
- Right to Opt-Out of Sales and Sharing. You have the right to opt-out of “sales” and “sharing” of your personal information, as those terms are defined under California privacy laws and regulations. However, Bicycle does not “sell” your personal data as defined under California privacy laws and regulations.
- Right to Limit Use and Disclosure. You have the right to limit the use and disclosure of your sensitive personal information.
- Right to Non-Discrimination. You have the right not to be subjected to discriminatory treatment for exercising any of the rights described in this section.
To exercise any of these rights, or if you have any question about the processing of your personal data, please contact us at privacy@bicycletx.com.
Fees
You will not usually have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is to ensure that personal data is not disclosed to any person who has no right to receive it.
FURTHER INFORMATION
This Privacy Notice was written with brevity and clarity in mind and is not an exhaustive account of all aspects of our collection and use of personal data. If you require any further information, please do not hesitate to contact us.
CONTACT US
BicycleTx Limited
privacy@bicycletx.com
BicycleTX Limited; Attention General Counsel Blocks A & B Portway Building Granta Park, Great Abington Cambridge CB21 6GS |
Bicycle Therapeutics, Inc.
privacy@bicycletx.com
Bicycle Therapeutics Inc; Attention: Office Manager 35 Cambridgepark Drive Suite 350 Cambridge MA 02140 |