1. INTRODUCTION
   1. This HR Recruitment Data Protection Policy (‘the Policy’) outlines the principles and guidelines Hudson Group follows in the collection, processing, and protection of personal data for recruitment purposes. It aims to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR).
   2. This Policy governs the use of a Candidate’s Personal Data (as defined below) by Hudson Group, composed of Hudson Holdings Limited and its subsidiaries.
   3. We have tried to keep this policy as simple and clear as possible. However, if any part is unclear to you, contact the Hudson Group Legal Department at [email protected] and they will respond to your query in due time and clarify any doubt you may have.
2. SCOPE
   1. This Internal Privacy Policy applies to the processing of personal data related to the recruitment and employment of candidates by Hudson Group employees. It is intended for all staff members involved in the recruitment process, including but not limited to Human Resources, IT, department managers, and any other personnel with access to or responsibility for handling candidate information.
   2. The policy governs the collection, use, storage, and sharing of candidate personal data, ensuring compliance with relevant data protection laws, including GDPR. It outlines the responsibilities of employees in protecting candidate data, maintaining confidentiality, and upholding the integrity and security of personal information throughout the recruitment process.
   3. This policy also details the internal procedures for handling personal data, the principles of data minimization, accuracy, and retention, and the rights of candidates regarding their personal data. Compliance with this policy is mandatory for all Hudson Group employees, and any breach may result in disciplinary action, up to and including dismissal.
   4. Hudson Group undertakes to abide by the following principles when Processing Employee’s Personal Data:
      1. Lawfulness: Personal Data is obtained and processed by lawful means and within the terms of the Applicable Law (as defined herein);
      2. Fairness: the processing of Personal Data will reflect what stated in this Policy;
      3. Transparency: The employee concerned is informed about what categories of Personal Data are processed, for what purposes, by whom, for how long they are retained, and about their rights in relation to data protection.
      4. Purpose Limitation: Personal Data is collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes;
      5. Data minimisation: Personal Data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
      6. Accuracy: Personal Data is accurate, complete and, where necessary, kept up to date;
      7. Storage limitation: Personal Data is kept in a form which permits identification of Data Subjects (as defined herein) for no longer than is necessary for its declared purpose(s);
      8. Integrity and Confidentiality: Personal Data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical measures;
3. DEFINITIONS

“Applicable Law”	Shall mean the relevant data protection and privacy law, including GDPR (as defined herein) to which the Controller (and the Processors) are subject, and any guidance or statutory codes of practice issued by the relevant Privacy Authority/ies;
“Controller”	Shall, for the purposes of this Policy means the entity identified in Section 4 below which entity determines the purposes and means of the processing of Personal Data;
“GDPR”	Shall mean General Data Protection Regulation, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
“Data Subject”	Any natural person whose personal data is processed by the Hudson Group. In the context of this Policy, a data subject specifically refers to candidates applying for employment with Hudson Group;
“Candidate”	Shall mean any individual applying for employment with any Hudson Group entity at all levels and grades;
“Prospective Employer”	Shall mean either of (i) Hudson Holdings Limited (C37866), company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: [email protected] or +356 2147 2790; or (ii) Hudson Malta Sales Limited (C32438), a company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: [email protected] or +356 2147 2790 or  (iii) BD International Group Limited (C61540) a company incorporated in Malta with offices at Hudson House, Burmarrad Road, Burmarrad, SPB9060, Malta. The Controller is reachable at: [email protected] or +356 2147 2790.
“Employment agreement”	Shall mean the agreement that the Candidate and the Prospective Employer may enter into establishing the terms of the employment relationship;
“Hudson Group”	Shall mean Hudson Holdings Limited and/or all the subsidiaries forming part of the Group.
“Personal Data”	Shall mean any information relating to an identified or identifiable natural person as defined by the Applicable Privacy Law and including the categories of data listed in this Policy that the Controller (and the Processors) process;
“Processing” or “Processed”	Shall mean any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data as defined in the Applicable Privacy Law;
“Processor”	Shall mean a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;
“Recruitment Record”	Shall mean the employment application, the curriculum vitae, references, educational qualifications and certificates, interview notes and any other document or information requested from the Candidate as part of the recruitment process.
“Special Categories Data”	Shall mean, in the context of recruitment, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

4. CONTROLLER AND PROCESSORS
   1. The Data Controller is the Prospective Employer, being the entity responsible for determining the purposes and means of processing personal data. Data Processors include other Hudson Group entities which may be assisting with the recruitment process or which may be acting on behalf of the Prospective Employer. Processors also include third-party service providers involved in recruitment activities, bound by data processing agreements ensuring compliance with GDPR.
   2. The designated Processor is BambooHR (BambooHR LLC): BambooHR is a recruitment service provider engaged by Hudson Group to manage the recruitment process, track candidate applications, and facilitate communication with candidates throughout the recruitment lifecycle. All personal data processed by BambooHR is subject to the terms of the DPA.

The relationships between the Controller and the Processors have been formalized concluding Data Processing Agreements based on Article 28.3 GDPR.

5. PERSONAL DATA COLLECTED
   1. The Hudson Group entity may obtain Candidate Data (as defined in Section 5.2) directly from the Candidate or indirectly through the recruitment agencies it works with (as independent controllers), currently Konnekt Search & Selection Ltd, Accelerate Ltd and Ceek Limited through which the Candidates would have submitted their application. 
   2. The Hudson Group entity collects the following data:
      1. Name and surname; 
      2. Address; 
      3. Identity card number; 
      4. Civil status;
      5. Date of Birth;
      6. Place of Birth;
      7. Contact Details;
      8. Character references; and
      9. Qualifications and Training; 
   3. The following special categories of personal data are collected:
      1. Police conduct certificate: These are reviewed by the Hudson Group entity but are not retained.
   4. Collection Channels
      1. Hudson Group facilitates a variety of channels for job applicants to submit their applications and CVs:
         1. Recruitment Inbox: Applications are primarily collected through a designated recruitment inbox accessed only by the Hudson Group’s Human Resources staff ([email protected]).
         2. YourFuture Career Portal: Candidates may also submit their applications via the Hudson Group’s ‘YourFuture’ career portal, ensuring a direct and secure data collection method;
         3. Job Boards and social media: For greater visibility, job vacancies are advertised on various job boards, including Jobsplus, and on social media platforms such as LinkedIn, Facebook, and Instagram. Social media management, including the dissemination of job advertisements, is handled by Nero Whyte, a third-party agency. The click-through application process on social media platforms does not collect personal data. Instead, potential candidates are redirected to Malta Operations’ careers website (YourFuture.mt), where personal data is collected only when the candidate initiates the application process.
6. PURPOSES AND LAWFUL BASIS FOR COLLECTING PERSONAL DATA
   1. Personal data is only collected for specific, explicitly stated and legitimate purposes and is processed according to the lawful basis identified below:
      1. Contract: where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior entering into a contract. For the purposes of this Policy, Contract refers to the employment contract.

6. 1. 2. Compliance with a legal obligation: where processing is necessary for compliance with a legal obligation to which the controller is subject.
      3. Legitimate Interest: where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Categories of personal data	Purpose(s)	Legal basis
Employment application, CV; Education Qualifications and Certificates;	Recruitment, selection and shortlisting of candidates for previously published vacancies and any other vacant role that may be available at Hudson.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
References	Verification of information provided in the employment application by job applicant.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Name and Last Name	Identify the Candidate for the purpose of the recruitment process Maintain Recruitment records;	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Date of Birth	Verify the Candidate’s age, and, consequently, their legal capacity to enter into the Employment agreement; Maintain Recruitment Records	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Gender	To ensure that the Candidate is addressed correctly throughout the recruitment process.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Home address	Address communications to the Candidate; Maintain Recruitment Records.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
ID Card/Passport copy	Maintain Candidate records; Verify Candidate’s entitlement to work in Malta; Verify Candidate’s identity and age.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Personal email address	Communicate with the Candidate;	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Personal landline number	Communicate with the Candidate.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Personal mobile number	Communicate with the Candidate.	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract
Categories of sensitive personal data	Purpose(s)	Legal basis
Police conduct certificate	Verification of a clean police conduct	processing is necessary in order to take steps at the request of the data subject prior to entering into a contract

7. RECIPIENTS OF PERSONAL DATA
   1. Candidate’s Data may be shared between the undertakings forming part of the Hudson Group.
   2. Candidate’s Data may be shared between the Controller and the Processors as regulated by the respective Data Processing Agreements.
   3. Candidate Data may be disclosed to employees other than those serving in the HR department of Hudson Group, and namely IT, Finance, Data Management, Marketing and Supply Chain. 
   4. Hudson will release Candidate Data if obliged to do so to comply with any law, regulation or court order.
   5. Hudson Group does not sell, trade or otherwise transfer Candidate Data to any third party other than the above.
8. Personal Data Transferred outside of the EEA
   1. Hudson Group may transfer Candidate Personal Data to its subsidiaries located outside of the European Economic Area (EEA), including but not limited to countries where Hudson Group’s subsidiaries are located, such as Morocco, Nigeria, and Algeria. These transfers may occur when necessary for recruitment purposes or for the management of HR-related functions across Hudson Group entities.
   2. In accordance with GDPR requirements for international data transfers, Hudson Group ensures that any transfer of Candidate Personal Data outside the EEA is conducted with appropriate safeguards. These safeguards include the use of Standard Contractual Clauses (SCCs) approved by the European Commission, which are in place across all Hudson Group entities involved in the processing of Candidate Personal Data.
   3. All Hudson Group subsidiaries receiving personal data are bound by SCCs to provide a level of data protection equivalent to that required within the EEA.
   4. HR Personnel must ensure that all personal data transfers to non-EEA countries are compliant with GDPR and internal policies.
   5. Legal and Compliance Teams are responsible for maintaining and updating SCCs across the group and ensuring these clauses are included in all relevant contracts with non-EEA subsidiaries.They must oversee the implementation of appropriate security measures and monitor compliance with GDPR for all international data transfers.
   6. IT Teams must ensure the security of data in transit between EEA and non-EEA locations, using encryption and secure communication channels.
   7. Hudson Group will periodically review all international data transfers to ensure ongoing compliance with GDPR. Any data transfer practices that do not adhere to the stipulated SCCs will be immediately addressed, and the necessary corrective actions will be taken.
   8. Employees responsible for processing Candidate Personal Data must liaise with the Legal Department to ensure compliance with the SCC framework when engaging in any cross-border data transfers.
9. Automated Decision-Making in Recruitment Process
   1. Hudson Group employs automated decision-making systems during the recruitment process to assist in the efficient screening of candidates. These systems may automatically assess criteria such as geographic location, legal age, or other job-related factors to ensure compliance with applicable laws and the suitability of candidates for the role.
   2. Automated decisions are made solely based on predefined criteria set by Hudson Group to screen candidates for roles where specific disqualifications (e.g., location, age) apply.
   3. These decisions are made without human intervention at the initial screening stage, but a human review is available upon request.
   4. To ensure compliance with GDPR Article 22, Hudson Group undertakes the following:
      1. Transparency: Candidates are informed that automated decision-making may be used during the recruitment process.
      2. Human Intervention: Candidates have the right to request human intervention to review and potentially override automated decisions.
      3. Appeals Process: A clear procedure is in place for candidates to appeal automated decisions, request explanations, and receive a manual review.
   5. All staff involved in recruitment must:
      1. Inform candidates of the use of automated decision-making as part of the recruitment process.
      2. Ensure that candidates can exercise their rights to human intervention and contest decisions by escalating such requests to the appropriate HR personnel.
      3. Ensure that the logic behind automated decisions is documented and available for candidate review upon request.
10. DATA STORAGE AND RETENTION
    1. Candidate Data in electronic format is stored:
       1. by BambooHR, a cloud-based solution, with servers within the EU;
       2. By Konnekt Search & Selection Ltd, a recruitment service provider;
       3. By Accelerate Ltd, a recruitment service provider;
       4. By Ceek Limited, a recruitment service provider;
       5. Internal server, accessible through file storage folders, protected by access control system;
       6. HR personnel computer system hard drives, password protected.
       7. Candidate Data in tangible, hard copy form, is securely stored in locked cabinets to which only designated HR personnel has access. Personal Data is stored on servers within the EU or third countries having equivalent protection.
    2. Personal data is not kept for a period longer than is necessary, having regard to the purposes for which they are processed.
    3. The Candidate’s Recruitment Record is retained throughout the Recruitment Process. If the Candidate is chosen for the job, their Recruitment Record will be included in their ‘Employee File’ and will be processed in accordance with Employee Privacy Notice which will be made available to the Candidate together with their Employment agreement. If they are not shortlisted or if they are shortlisted but not chosen for the job, their Recruitment Record will be retained on file for a period of twelve (12) months in case Hudson Group needs to contact them again to offer them the job or another job which reflects their qualifications and experience during this period. 
    4. The Candidate can ask Hudson Group to delete their Recruitment Record at any time during this period by sending an email to [email protected]. 
    5. The Police Conduct Certificate is not retained. It is verified by the Hudson Group recruitment staff and where provided in physical copy returned to the Candidate once verified. 
11. DATA SUBJECT RIGHTS
    1. Candidates have rights regarding their personal data, including access, rectification, deletion, restriction, and data portability. Requests to exercise these rights can be directed to the Data Controller by email to [email protected]. 
    2. Candidates are guaranteed a response within 30 days from the date of receipt of their enquiry. 
    3. If the Candidate’s request is particularly complex or Hudson Group needs to process an extraordinary number of simultaneous requests, the Controller’s reply may take longer but will be provided no later than 2 months from the date of receipt of the enquiry. This reply will also include details explaining the reason for the delay in our response.
    4. Hudson Group will provide the information in digital format or, if preferred, in hard copy format.
    5. Such requests will not incur any fee, except when:
       1. The requests are manifestly unfounded or excessive, in particular because of their repetitive character. In this case a reasonable fee will be charged, taking into account the administrative costs of providing the information or communication or taking the action requested. In this case, Hudson Group may also refuse to act on the request after having explained its position;
    6. Should Hudson Group have reasonable doubts concerning the Candidate’s identity when making the request above, Hudson Group may require additional information, necessary to confirm the Candidate’s identity.
    7. Right to Access
       1. Candidates may obtain confirmation from Hudson Group as to whether or not their Personal Data is being processed, including:
          1. the purposes of the processing;
          2. the categories of Personal Data concerned;
          3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular if countries outside of the European Economic Area or international organisations;
          4. where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
          5. the existence of the right to request from the Controller (or the Processor, if your request is related to one of the data processing activities conducted by the Processors) rectification or erasure of Personal Data or restriction of processing of Personal Data concerning the Data Subject or to object to such processing;
          6. The right to lodge a complaint with the supervisory authority;
          7. the right to data portability;
          8. the existence of automated decision-making, including profiling.
    8. Right to Rectification
       1. In case the Candidate’s data is inaccurate, incomplete or out-of-date, the Candidate has the right to rectify it.
    9. Deletion (“the right to be forgotten”)
       1. Candidates have the right to have their Personal Data erased in case:
          1. Such data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
          2. The employment agreement is withdrawn, terminated, or longer in force, and there is no other legal basis legitimating the processing activities;
          3. the Candidate has objected to processing the data and there is no other legal basis legitimating its processing;
          4. the Candidate believes that their Personal Data has been unlawfully processed;
          5. the Candidate’s Personal Data has to be erased in order to ensure compliance with any legal obligations arising from any legislation enacted within the European Union or in Malta.
    10. Restriction
        1. Candidates have the right to request a restriction on the processing of their Personal Data in case:
           1. the Candidate contests the accuracy of your Personal Data, for a period enabling Hudson Group to verify the accuracy of such data;
           2. the processing of the Candidate’s data is unlawful, and they oppose the erasure of their personal data and request the restriction of their use instead;
           3. Hudson Group no longer need the Personal Data for the purposes of the processing;
           4. Hudson Group no longer needs the Candidate’s data, but Hudson Group are required by the Candidate to retain the data for the establishment, exercise or defence of legal claims;
           5. the Candidate has objected to processing (as specified in detail below), pending the verification whether Hudson Group’s legitimate grounds override that of the Candidate.
        2. When the Candidate restricts processing, their personal data will, with the exception of storage, only be processed with their consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
        3. In case the Candidate has obtained restriction of processing as per above, we will inform the Candidate before the restriction of processing is lifted.
    11. Data Portability
        1. The Candidate enjoys a right to data portability with respect to their Personal Data held by Hudson Groups, and Hudson Group hereby binds itself to provide the Candidate with the Personal Data concerning them which they have provided to the Employer, in a structured, commonly used and machine-readable format. In addition, the Candidate enjoys the right to transmit that data to another data controller without hindrance from Hudson Group.  
    12. Complaint
        1. In addition to the above, and without prejudice to any other administrative or judicial remedy, the Candidate has the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC), competent Supervisory Authority for the Controller in Malta, if they deem it necessary to do so.
        2. The complaint may be submitted online through this link (subject to change): https://idpc.org.mt/en/Pages/contact/complaints.aspx
12. DATA SECURITY
    1. Hudson Group takes reasonable and appropriate administrative, technical and physical measures to protect the confidentiality, integrity and availability of Personal Data, whether in electronic or tangible, hard copy form. These measures include:
       1. Secure storage;
       2. Regular back-ups;
       3. Access control.
       4. Hudson Group takes reasonable steps to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. 
       5. Hudson Group follows good practice policies and procedures for its Information Technology and Management, Backups and Data Recovery as well as Incident Response.
13. ENFORCEMENT
    1. Upon establishment, this Policy will be communicated and made available to all candidate facing employees of Hudson Group.
    2. All employees in charge of processing Candidate Personal Data shall comply with the provisions set forth by this Policy.
    3. Breach of any of the provision of this Policy by employees in charge of processing Candidate Personal Data may lead to disciplinary action including dismissal, as foreseen by the internal Disciplinary Policy, by Chapter 452 of the Laws of Malta – Employment and Industrial Relations Act and other subsidiary legislation.