NOVARIC® Privacy Policy

HomeResources → Privacy Policy

NOVARIC® Privacy Policy

How we collect, use, protect and respect your personal information

Enacted: September 1, 2017 Revised: March 11, 2022  |  January 2, 2025  |  March 22, 2026 Owner: Legal Team, NOVARIC® Ltd.
Controller: NOVARIC® Ltd. (C 63881, Malta) & NOVARIC® Sh.A. (Albania) Status: Active
This Privacy Policy applies to all personal information collected and processed by NOVARIC® Ltd. (Malta) and NOVARIC® Sh.A. (Albania) in connection with our recruitment, vocational training, HR consulting, relocation, and outsourcing services. It is fully aligned with the General Data Protection Regulation (GDPR, EU 2016/679) and applicable national data protection laws. For role-specific privacy notices, visit the NOVARIC® Privacy Hub.

1. Background and Commitment

NOVARIC® Ltd. (hereinafter referred to as “NOVARIC®”) handles various categories of information, including technical information, candidate and client data, and information provided through our digital platforms and services. With this in mind, NOVARIC® has established and continuously improves a comprehensive information management and data protection system in order to respect the value of all personal information entrusted to us.

In accordance with this commitment, NOVARIC® has established clear rules and a governance framework for personal information protection, communicated them to all board members and employees, and made this Privacy Policy readily accessible to the public. Furthermore, NOVARIC® will strive to protect personal information appropriately based on this policy and to make continual improvements to its data protection practices.

Legal Basis: GDPR EU 2016/679 Art. 5 (principles of processing)  |  Art. 13 & 14 (information obligations)  |  EU Charter of Fundamental Rights Art. 8 (protection of personal data)

2. Our Personal Information Protection Principles

The following principles guide how NOVARIC® collects, uses, stores, and protects all personal information. These principles are binding across all NOVARIC® entities and activities.

Lawfulness, Fairness and Transparency

We process personal data only on a valid lawful basis. We are transparent about how and why we use your data, and we act fairly in all our data processing activities. When NOVARIC® requires a person to provide personal information, we clearly state the purpose beforehand and obtain consent where required.

Legal Basis: GDPR Art. 5(1)(a)  |  Art. 6 (lawful bases)  |  Art. 13 & 14 (transparency obligations)

Purpose Limitation

We collect personal information only for specific, explicit, and legitimate purposes and do not use it for purposes incompatible with those originally stated. NOVARIC® will not use personal information for purposes other than the original intent and will implement appropriate measures to ensure this.

Legal Basis: GDPR Art. 5(1)(b) (purpose limitation)

Data Minimisation

We collect only the personal data that is necessary for the stated purpose. We do not collect excessive or irrelevant information. Our data collection practices are proportionate to our legitimate business needs.

Legal Basis: GDPR Art. 5(1)(c) (data minimisation)

Accuracy

We take reasonable steps to ensure that personal data is accurate, complete, and kept up to date. Inaccurate data is corrected or deleted without delay upon notification or identification.

Legal Basis: GDPR Art. 5(1)(d) (accuracy)  |  Art. 16 (right to rectification)

Storage Limitation

We retain personal data only for as long as necessary for the stated purpose or as required by applicable law. After the retention period expires, data is securely deleted, anonymised, or disposed of in accordance with our data disposal procedures.

Legal Basis: GDPR Art. 5(1)(e) (storage limitation)

Integrity and Confidentiality

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures are regularly reviewed and updated.

Legal Basis: GDPR Art. 5(1)(f)  |  Art. 32 (security of processing)  |  ISO 27001:2022 (information security management)

Accountability

NOVARIC® takes full responsibility for complying with these principles and can demonstrate compliance at all times. We maintain internal policies, procedures, training records, and processing registers to support this accountability.

Legal Basis: GDPR Art. 5(2) (accountability)  |  Art. 30 (records of processing activities)

3. Scope of Application

This Privacy Policy establishes the handling of all personal information by NOVARIC® in its company activities. It applies to:

  • Recruitment, talent acquisition, and employment placement services
  • Vocational training and NOVARIC® Academy programmes
  • HR consulting, relocation, and outsourcing services
  • Interactions via the novaric.co website and all NOVARIC® digital platforms
  • Communications via email, telephone, social media, and NOVARIC® Nexus AI systems
  • Business relationships with clients, partners, suppliers, and public authorities

This policy applies to NOVARIC® Ltd. (Malta, C 63881) and NOVARIC® Sh.A. (Albania), and to all employees, contractors, and third-party processors acting on their behalf.

Legal Basis: GDPR Art. 3 (territorial scope)  |  Art. 4(1) (definition of personal data)  |  Art. 4(7) (definition of controller)

4. Personal Information We Collect

Depending on your interaction with NOVARIC®, we may collect and process the following categories of personal information. In all cases, collection is limited to what is necessary and proportionate to the purpose.

Identification and Contact Data

  • Full name, nationality, and date of birth
  • Email address, telephone number, and postal address
  • Passport or identity document number (where required for visa or work permit processing)

Professional and Qualification Data

  • CV, employment history, qualifications, and certifications
  • Educational background, academic records, and transcripts
  • Skills, language proficiency, professional licences, and references

Website and Digital Interaction Data

  • IP address, browser type, and device information
  • Pages visited, time spent on site, and referral sources
  • Cookie and tracking data — see Cookie Policy

Business Contact Data

  • Name, job title, company name, business email, and telephone
  • Correspondence and communication records with clients and partners

Special Category Data (processed only where strictly necessary)

In limited circumstances and only where required by law or with your explicit consent, we may process:

  • Health or disability information relevant to specific employment requirements
  • Criminal record information where required by applicable law or employer
Legal Basis: GDPR Art. 9 (special categories of personal data)  |  Art. 10 (criminal convictions data)  |  Art. 6(1)(a)(b)(c) (lawful bases for processing)

5. How We Use Personal Information

NOVARIC® processes personal information only for legitimate, specified purposes. The following table sets out the primary purposes and their lawful bases under GDPR:

Purpose Lawful Basis GDPR Art.
Providing recruitment, training, and HR services Contract / Legitimate interests 6(1)(b)(f)
Matching candidates with employment opportunities Consent / Legitimate interests 6(1)(a)(f)
Processing visa and work permit applications Legal obligation / Contract 6(1)(b)(c)
Communicating about vacancies, services, and updates Consent / Legitimate interests 6(1)(a)(f)
Operating and improving our website Legitimate interests / Consent 6(1)(a)(f)
Complying with legal and regulatory obligations Legal obligation 6(1)(c)
Preventing fraud and ensuring data security Legitimate interests 6(1)(f)
Legal Basis: GDPR Art. 6 (lawful bases)  |  Directive 2002/58/EC (ePrivacy)  |  Directive 2019/1152/EU (transparent working conditions)  |  Directive 2008/104/EC (agency work)

6. Provision to Third Parties

NOVARIC® will not provide personal information to a third party without first obtaining prior consent from the person concerned, except in the following circumstances:

  • Prospective employers and clients — only with your explicit prior written consent for candidate profiles
  • NOVARIC® group entities — NOVARIC® Ltd. (Malta) and NOVARIC® Sh.A. (Albania) acting as joint or separate controllers
  • Immigration and public authorities — where required by applicable law for visa, work permit, or regulatory processing
  • Technology and IT service providers — acting as data processors under written data processing agreements (GDPR Art. 28)
  • NOVARIC® Nexus AI system — for candidate matching and communication, governed by the NOVARIC® Nexus AI Governance Framework
  • Professional advisors — lawyers, auditors, and accountants under binding confidentiality obligations
  • Regulatory and supervisory authorities — when legally required
NOVARIC® never sells personal data to third parties. We do not share candidate profiles with employers without explicit prior consent.
Legal Basis: GDPR Art. 28 (data processor agreements)  |  Art. 46 (transfers outside the EEA)  |  Art. 49 (derogations for specific situations)

7. International Transfers

Where NOVARIC® transfers personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place in accordance with GDPR Chapter V. These include Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, and other approved transfer mechanisms.

Transfers to Albania benefit from Albania’s EU adequacy status. All international transfers are documented, regularly reviewed, and subject to the same data protection standards that apply within the EEA.

Legal Basis: GDPR Art. 44–49 (international transfers)  |  EC Implementing Decision on SCCs 2021/914  |  EDPB Guidelines 05/2021 on international transfers

8. Security Measures

To ensure the correctness and safety of personal information, NOVARIC® implements various technical and organisational measures. These include:

  • Encrypted data transmission and at-rest storage
  • Role-based access controls and multi-factor authentication
  • Regular security audits, vulnerability assessments, and penetration testing
  • Staff training on data protection and information security obligations
  • Incident detection, classification, response, and notification procedures
  • Secure disposal and anonymisation of personal data no longer required

When any problems regarding safety measures are identified, NOVARIC® takes immediate corrective action, notifies affected individuals, and reports to supervisory authorities as required by law — typically within 72 hours of becoming aware of a breach.

Legal Basis: GDPR Art. 32 (security of processing)  |  Art. 33 (notification of breach to supervisory authority within 72 hours)  |  Art. 34 (communication to data subjects)  |  ISO 27001:2022  |  NIS Directive 2016/1148/EU

9. Cookies and Web Beacons

NOVARIC® uses cookies and similar tracking technologies on our website to improve user experience, analyse website traffic, and support our services. Cookie types include:

  • Strictly necessary cookies — essential for the website to function correctly
  • Analytics cookies — to understand how visitors use our site and improve performance
  • Marketing cookies — to personalise content and communications (deployed only with your consent)

When a person contacts NOVARIC® by telephone, the conversation may be recorded to aid accurate replies and for quality assurance purposes. You will be informed at the beginning of any recorded call.

For full details on cookies and how to manage your preferences, see our Cookie Policy.

Legal Basis: Directive 2002/58/EC (ePrivacy Directive)  |  GDPR Art. 6(1)(a) (consent for non-essential cookies)  |  ICO Cookie Guidance 2022

10. Your Rights Regarding Personal Information

Under GDPR, you have the following rights in relation to your personal data held by NOVARIC®. To exercise any of these rights, please submit your request using the contact details in Section 11:

Right Description GDPR Article
Access Request a copy of the personal data we hold about you, including how it is used and who it is shared with Art. 15
Rectification Ask us to correct inaccurate or incomplete data without undue delay Art. 16
Erasure Request deletion of your data where there is no lawful basis to retain it. Note: legal obligations may require retention of certain records Art. 17
Restriction Ask us to limit how we use your data while a dispute or query is being resolved Art. 18
Portability Receive your data in a structured, machine-readable format (e.g. JSON/CSV) to transfer to another provider Art. 20
Object Object to processing based on legitimate interests, including profiling for candidate matching Art. 21
Withdraw Consent Withdraw consent at any time where processing is consent-based. Withdrawal does not affect prior lawful processing Art. 7(3)
Complaint Lodge a complaint with the Information and Data Protection Commissioner (IDPC) in Malta at idpc.org.mt, or with the IDP in Albania at idp.al Art. 77

We will respond to all valid requests within 30 days. In complex cases, we may extend this by a further two months and will inform you of the extension and reason.

Legal Basis: GDPR Art. 12 (transparent communication and modalities for exercising rights)  |  Art. 15–22 (data subject rights)

11. Contact Information

For all enquiries, disclosures, requests, or complaints related to this Privacy Policy or the handling of your personal data, please contact us using the following details:

Data Protection & Privacy legal.department@novaric.co
Postal Address NOVARIC® Ltd., Level 4, Angelica Court, Giuseppe Cali Street, Ta’ Xbiex XBX 1425, Malta
Telephone +356 2711 2206
General Enquiries contact@novaric.co  |  Contact Form
Supervisory Authority (Malta) IDPC — Information and Data Protection Commissioner  |  idpc.org.mt
Supervisory Authority (Albania) IDP — Information and Data Protection Commissioner  |  idp.al

12. AI and Automated Processing

NOVARIC® uses AI-assisted tools, including NOVARIC® Nexus, to support certain business operations including candidate communications and administrative processing. Consequently, some of your personal data may be processed by automated systems. However, no automated decision with a legal or similarly significant effect on you is made without human review and validation.

You have the right to request human review of any automated assessment. Contact us at legal.department@novaric.co.
Legal Basis: GDPR Art. 22 (automated decision-making and profiling)  |  EU AI Act 2024 (high-risk AI in recruitment)  |  EDPB Guidelines on Automated Processing

13. Updates to This Policy

We review and update this Privacy Policy periodically to reflect changes in our practices, legal obligations, or applicable law. Material updates will be communicated via our website. The current version is always available at novaric.co/privacy-policy/.

Version History

Date Change
September 1, 2017 Initial enactment — NOVARIC® Ltd. Personal Information Protection Policy
March 11, 2022 First revision — updated for expanded services and GDPR alignment
January 2, 2025 Second revision — updated contact information and retention provisions
March 22, 2026 Current version — full GDPR-grade restructure, AI processing governance, EU directive compliance matrix, Privacy Hub integration, rights table, supervisory authority contacts

Related NOVARIC® Documents

Document Reference
NOVARIC® Privacy Hub Hub
Candidate & Job Applicant Privacy Notice NOVARIC-POL-PRI-002
Cookie Policy
NOVARIC® Nexus AI Governance N-DOC-10010-032026
GDPR & Data Protection Notice NOVARIC-POL-GD-001
Governance Hub N-HUB-GOV

Published under NOVARIC® Resources  |  NOVARIC® Privacy Hub

Enacted: September 1, 2017  |  Current Revision: March 22, 2026  |  Legal Team, NOVARIC® Ltd.

NOVARIC® — The Future Starts At The Endgame.™  |  C 63881 — Malta  |  VAT: MT 2170 7305  |  EU Trademark: 018313401