Privacy Policy

Recruitment and Selection

1. SCOPE

1-This Privacy Policy aims to comply with the right to information regarding the processing of personal data, whenever you interact with us or send us your CV and related personal information through this platform.

2-With this Policy, we also intend to inform you about how we ensure your privacy and the protection of your personal data.

3-This duty is a daily priority in our activity. We comply with and enforce the provisions of the data protection legislation concerning the protection of natural persons regarding the processing of personal data and the free movement of such data.

4-In order to initiate, continue or conclude a recruitment and selection process, we must process your personal data, and this Policy provides you with the legally required information.

5-If you have any questions about this Policy, please contact us using the contact details indicated in section 14.
2. GENERAL PRINCIPLES

1-In the context of your relationship with us, we comply with certain guiding principles whenever you access our recruitment platform and provide personal data or interact in ways that allow us to collect such data, including through forms and cookies.

2-This Policy is based on the following core principles, which we consider essential in our operations:

i) Only duly authorized individuals process personal data, and only the data that is strictly necessary for specific and legitimate purposes;

ii) Security in the processing of personal data is a constant priority, regularly reviewed in light of technological developments and supported by ongoing investment;

iii) We acknowledge that personal data belongs to its data subjects, and it is processed in accordance with applicable legal norms, fully respecting your rights;

iv) We promote and disseminate best practices regarding Privacy, Data Protection and Information Security within our organisation, which are reviewed regularly as part of our commitment to continuous improvement.
3. DEFINITIONS AND INFORMATION TO DATA SUBJECTS

For the purposes of this Policy, we follow the above definitions including (but not limited to) the following:

i) Personal Data: Any information relating to an identified or identifiable natural person, such as an ID number or other identifiers related to physical, physiological, mental, economic, cultural or social identity.

ii) Processing: Any operation or set of operations performed on personal data, whether or not by automated means (e.g., collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction).

iii) Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

iv) Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing.

v) Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
4. WHO IS THE DATA CONTROLLER

Nors Group, S.A. and its subsidiaries are the entities that determine the purposes and means of personal data processing. Each of these entities is considered a data controller. Their contact details can be found at www.nors.com
5. WHAT PERSONAL DATA DO WE PROCESS DURING RECRUITMENT?

1-Nors Group, S.A. and its subsidiaries process the following categories and types of personal data:

i) Identification data: e.g. name, nationality, ID document, date of birth, tax number (NIF), and social security number;

ii) Contact details: e.g. address, phone/mobile number, and email address;

iii) Personal status data (if applicable): e.g. residence permit/work visa and immigration-related information;

iv) Professional data: work experience, CV data, employment history, academic qualifications, certificates, references, and recommendation letters;

v) Geographical data;

vi) Assessment data: results from evaluations conducted by processors, including language tests, leadership assessments, reasoning tests, or simulations conducted internally;

vii) Other: driving license and related authorisations, where necessary.

2-If legally permitted and relevant to the job role, we may also process data relating to criminal convictions and offences (e.g., a copy of a criminal record certificate).

3-If personal data is submitted by means other than the recruitment platform (e.g. email, postal mail, or in person), it will be entered into the platform by authorised staff and the original medium will be securely destroyed.
6. PURPOSES OF PERSONAL DATA PROCESSING

Personal data is processed by Nors Group, S.A. and its subsidiaries for the following purposes:

i)Recruitment and selection for published vacancies;

ii)Handling of spontaneous applications;

iii)Management of applications for internships (academic or professional);

iv)Sending of informative communications about career opportunities
7. HOW LONG DO WE RETAIN PERSONAL DATA?

1-Personal data is processed in strict compliance with applicable law and stored in specific databases created for this purpose.

2-Retention periods vary by purpose:

i) Recruitment records are retained for 5 years;

ii) Spontaneous applications are retained for 1 year;

iii) With your consent, we may retain data for 1 year after an unsuccessful application, in case future relevant vacancies arise. Consent can be withdrawn at any time.
8. LEGAL BASES FOR PROCESSING

1-Personal data is processed by us in the context of selection and recruitment in strict compliance with the principle of lawfulness.

2-We process personal data strictly in line with the principle of lawfulness, based on:

i) Pre-contractual steps at the data subject's request (e.g., job application);

ii) Our legitimate interests (e.g., for spontaneous applications);

iii) Your consent, where applicable.
9. DATA SHARING WITH PROCESSORS

1-To achieve the above purposes, we may share personal data with processors (e.g. consultancy firms, training providers, IT support, building access control companies, psychometric testing firms).

2-In these cases, we ensure processors offer adequate technical and organisational safeguards, act only on our documented instructions, and delete or return data after the service ends, as contractually required.

3-We also implement technical and organisational measures to guarantee the confidentiality, integrity, and availability of the data, as required under applicable data protection laws.
10. TRANSFERS TO THIRD COUNTRIES AND INTERNATIONAL ORGANISATIONS

If we transfer personal data to third countries or international organisations, we will fully comply with all applicable legal provisions. We will assess the adequacy of the country or organisation regarding data protection or implement appropriate safeguards to ensure that data subjects enjoy enforceable rights and effective legal remedies.
11. WHAT ARE YOUR RIGHTS AS A DATA SUBJECT?

1- We have implemented internal organisational measures, which are reviewed regularly, to guarantee your rights, including:

i) Right of access: You may request confirmation of whether we process your personal data, and access to that data and related information. A copy will be provided free of charge, though additional copies may incur a reasonable administrative fee. If the request is electronic, we will respond electronically unless you request otherwise.

ii) Right to rectification: You may request the correction of inaccurate or incomplete personal data. You may also update data directly via your user profile.

iii) Right to erasure ("right to be forgotten"): You may request the deletion of your personal data in certain circumstances, including directly via your platform profile.

iv) Right to object: You may object, on grounds relating to your particular situation, to the processing of your data. Note: objection may prevent the continuation of the recruitment process.

v) Right to data portability: You may request a copy of your personal data in a structured, commonly used and machine-readable format or request it to be transferred to another organisation.

vi) Right to restriction of processing: You may request restriction of processing, e.g., while verifying accuracy or in cases of unlawful processing.

vii) Right to lodge a complaint: You may submit a complaint to the supervisory authority - Information and Data Protection Commission (IDPC).

viii) Right to compensation: If you suffer material or non-material damage because of a breach, you have the right to compensation from the controller or processor.

ix) Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on automated processing, including profiling, that significantly affects you.

x) Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of prior processing.

2-To exercise any of these rights, please refer to section 14 of this Policy.

3-Once your request is received, we will respond within 30 days, or up to 60 days in case we are dealing with a high number of requests or due to their complexity, providing a justified reply should any of these situations occur.
12. WHAT SECURITY MEASURES HAVE WE IMPLEMENTED?

1- We have adopted appropriate technical and organisational measures to ensure a level of security appropriate to the risks, which are reviewed and improved regularly, designed to ensure the security and protection of personal data in terms of its availability, authenticity, integrity and confidentiality, as well as to prevent its loss, misuse, alteration, processing or un authorised access, and any other form of unlawful processing.

2- Our commitment to the security of personal data is ongoing. This commitment involves a set of measures aimed at safeguarding and mitigating the risk of data breaches, depending on the risk, context and purposes, among which the following are particularly noteworthy:

i) Pseudonymisation and encryption of personal data;

ii) Ensuring confidentiality, integrity, availability, and resilience of processing systems and services;

iii) Ability to restore access and availability in the event of a physical or technical incident;

iv) Regular testing and evaluation of the effectiveness of our technical and organisational measures.

c) The level of security we have implemented takes into account the risks associated with the processing, with particular consideration given to the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
13. DATA PROTECTION OFFICER (DPO)

1-Nors Group, S.A. and its subsidiaries have appointed a Data Protection Officer (DPO) to oversee compliance with applicable data protection rules.

2-If you have any questions or concerns you may email to: dpo@nors.com.
14. CHILDREN'S PERSONAL DATA

Our recruitment platform does not collect personal data from children.
15. LINKS TO OTHER WEBSITES

1-Our recruitment platform may contain links to other websites.

2-Nors Group, S.A. and its subsidiaries are not responsible for the content or privacy policies of those external sites.

3- In order to be properly informed, we recommend that you read the privacy policies of any other website linked to our recruitment platform.
16. WHAT HAPPENS IF A PERSONAL DATA BREACH OCCURS?

1-If a personal data breach occurs (e.g., accidental or unlawful destruction, loss, alteration, disclosure, or unauthorised access), we will act in accordance and inform the appropriate parties.

2-If the breach poses a high risk to your rights and freedoms, we will notify you without undue delay, providing:

i) Likely consequences of the breach;

i) Measures taken or proposed to address and mitigate the breach.

3-If it is not possible to provide all information at once, we will provide it in phases as quickly as possible.
17. USE OF COOKIES

1-Our recruitment platform uses cookies.

2-For more information on the types of cookies used, their purpose, duration, and third-party access, as well as how to manage them in your browser, please consult our Cookie Policy
18. EMPLOYEE TRAINING

1-We recognise that the human factor is critical when it comes to complying with the applicable personal data protection regulations.

2-All employees receive initial and ongoing training to ensure awareness of applicable rules and best practices for protecting personal data.
19. CHANGES TO THIS PRIVACY POLICY

We reserve the right to change this Privacy Policy at any time without prior notice. All changes become part of the Policy upon publication.
20. POLICY VERSIONS

Version 1    |     September 2021

Version 2    |     June 2025