Home → Resources → Privacy Hub → Candidate Privacy Notice
Candidate & Job Applicant Privacy Notice
How NOVARIC® processes personal data for recruitment, candidate management and employment placement
| Document ID: NOVARIC-POL-PRI-002 | Version: v1.0 | Effective: March 2026 | Review: March 2027 |
| Controller: NOVARIC® Ltd. (C 63881) & NOVARIC® Sh.A. | DPO: legal.department@novaric.co | Status: Active | |
1. Who We Are
NOVARIC® Ltd. (registered in Malta, C 63881) and NOVARIC® Sh.A. (registered in Albania) are the data controllers responsible for processing your personal data in connection with our recruitment, training, HR consulting, and relocation services. They may act individually or as joint controllers depending on the nature of the activity.
Contact the Data Controller: legal.department@novaric.co | Contact Form
2. What Data We Collect
Depending on the nature of your interaction with NOVARIC®, we may collect and process the following categories of personal data:
Identification & Contact Data
- Full name, nationality, date of birth
- Email address, telephone number, address
- Passport or national identity document number (where required for visa/work permit processing)
Professional & Qualification Data
- CV, work history, qualifications, and certificates
- Educational background and academic transcripts
- Skills, language proficiency, and professional licences
- References and professional evaluations
Application & Assessment Data
- Cover letters and application forms
- Interview notes and assessment results
- Test scores and competency evaluations
- Placement and matching preferences
Immigration & Relocation Data
- Visa and work permit status and documentation
- Right-to-work verification documents
- Relocation preferences and country of origin
Special Category Data (processed only where strictly necessary and with explicit consent)
- Health information relevant to specific job requirements
- Criminal record checks where required by law or by employer
- Disability or accessibility requirements
3. How We Use Your Data
| Purpose | Lawful Basis | GDPR Article |
|---|---|---|
| Evaluating your suitability for employment opportunities | Legitimate interests / Pre-contractual steps | Art. 6(1)(b)(f) |
| Matching your profile with employer requirements | Legitimate interests / Consent | Art. 6(1)(a)(f) |
| Communicating about vacancies and opportunities | Legitimate interests / Consent | Art. 6(1)(a)(f) |
| Processing visa and work permit applications | Legal obligation / Pre-contractual | Art. 6(1)(b)(c) |
| Vocational training and Academy enrolment | Contractual / Consent | Art. 6(1)(a)(b) |
| Sharing your profile with prospective employers | Explicit consent | Art. 6(1)(a) |
| Compliance with legal and regulatory requirements | Legal obligation | Art. 6(1)(c) |
| Fraud prevention and data security | Legitimate interests | Art. 6(1)(f) |
4. Who We Share Your Data With
NOVARIC® shares your personal data only where necessary and with appropriate safeguards in place:
- Prospective employers and clients — only with your explicit prior consent
- NOVARIC® group entities — NOVARIC® Ltd. (Malta) and NOVARIC® Sh.A. (Albania) acting as joint controllers
- Immigration and legal authorities — where required by law for visa and work permit processing
- Vocational training providers — for Academy enrolment and certification
- Technology and IT service providers — under strict data processing agreements (GDPR Art. 28)
- NOVARIC® Nexus AI system — for candidate matching and communication, governed by the NOVARIC® Nexus AI Governance Framework
- Regulatory and supervisory authorities — when legally required
5. International Transfers
When NOVARIC® transfers personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Binding Corporate Rules or other approved transfer mechanisms
Transfers to Albania: Albania has received an EU adequacy decision for data protection purposes.
6. How Long We Keep Your Data
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Active candidate profile | Duration of registration + 24 months | GDPR Art. 6(1)(f) — legitimate interests |
| Unsuccessful application | 6 months from rejection (unless consent given for longer) | GDPR Art. 6(1)(a)(f) |
| Placed candidate records | 5 years from end of placement | Legal obligation — employment law |
| Training/Academy records | 5 years from completion | Legal obligation — qualification records |
| Visa and immigration documents | As required by applicable immigration law (typically 5 years) | Legal obligation |
| Financial/invoicing records | 7 years | Maltese and Albanian financial regulations |
After the retention period, your data is securely deleted or anonymised. You may request early deletion by contacting legal.department@novaric.co.
7. Your Rights
| Right | What It Means for You | Legal Basis |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you, including how it is used and who it is shared with. | GDPR Art. 15 |
| Rectification (Art. 16) | Ask us to correct any inaccurate or incomplete personal data. | GDPR Art. 16 |
| Erasure (Art. 17) | Request deletion of your data where no lawful basis exists to retain it. Note: legal obligations may require us to retain certain records. | GDPR Art. 17 |
| Restriction (Art. 18) | Ask us to temporarily stop processing your data while a dispute is resolved. | GDPR Art. 18 |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON/CSV) to transfer to another provider. | GDPR Art. 20 |
| Object (Art. 21) | Object to processing based on legitimate interests, including profiling for candidate matching. | GDPR Art. 21 |
| Withdraw Consent | Withdraw consent at any time where processing is based on consent. Withdrawal does not affect prior lawful processing. | GDPR Art. 7(3) |
| Complaint | Lodge a complaint with the IDPC (Malta) at idpc.org.mt or IDP (Albania) at idp.al. | GDPR Art. 77 |
To exercise any right, submit your request to: legal.department@novaric.co — we will respond within 30 days.
8. Automated Decision-Making
NOVARIC® may use automated tools and AI systems (including NOVARIC® Nexus) to assist in candidate matching and communication. However, no fully automated decision with legal or significant effect is made without human review and validation.
9. Data Security
NOVARIC® implements appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
- Encrypted data transmission and storage
- Access controls and authentication
- Regular security audits and testing
- Staff training on data protection obligations
- Incident response procedures compliant with GDPR Art. 33–34
10. Updates to This Notice
We review and update this Privacy Notice periodically to reflect changes in our practices or applicable law. We will notify you of material changes via email or through our website. The current version is always available at novaric.co/resources/privacy/candidate-privacy-notice/.
Related Privacy Notices
| NOVARIC® Privacy Hub | Hub |
| GDPR & Privacy Policy | NOVARIC-POL-GD-001 |
| NOVARIC® Nexus AI Governance | N-DOC-10010-032026 |
| Cookie Policy |
NOVARIC-POL-PRI-002 v1.0 | Effective: March 2026 | Review: March 2027 | Controller: NOVARIC® Ltd. C 63881 Malta
NOVARIC® — The Future Starts At The Endgame.™ | EU Trademark: 018313401 | Privacy Hub