Candidate Privacy Notice
Candidate Privacy Notice
Thank you for your interest in Draig Therapeutics Limited (referred to as “Draig”, “We, “Our” or “Us”). We are committed to protecting the privacy and security of your Personal Data.
This Privacy Notice is intended for recruitment candidates located within the European Union (EU), European Economic Area (EEA), Switzerland or United Kingdom (UK).
It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing Personal Data about you, so that you are aware of how and why we are using such information.
You have been directed to or otherwise sent a copy of this privacy notice because you are applying for work with us (whether as an employee, worker or contractor or consultant). This notice makes you aware of how and why your personal data will be used, namely for the purposes of the recruitment exercise, and how long it will usually be retained for. It provides you with certain information that must be provided under Data Protection Legislation and explains how your Personal Data will be processed.
Personal Data means any information or piece of information which could identify you either directly (e.g. your name) or indirectly (e.g. a unique ID number).
If anything in this Privacy Notice conflicts with local law in your jurisdiction, local law prevails.
The controller of your Personal Data
Draig are the Data Controller for the Personal Data that we process about you during recruitment process.
Where data is processed by a controller or processor established in the European Union or comprises the data of people in the European Union, the Data Protection Legislation means the General Data Protection Regulation (Regulation (EU) 2016/679) (‘EU GDPR’). This includes any replacement legislation coming into effect from time to time. Depending on your location, additional legislation might also apply.
In the UK, Data Protection Legislation means the Data Protection Act 2018 (‘DPA 2018’), United Kingdom General Data Protection Regulation (‘UK GDPR’), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’) and any legislation implemented in connection with the legislation mentioned above.
. Any candidate from countries outside the UK, EU, Switzerland that apply for a position with Draig, your personal data will be processed in accordance with GDPR.
We have appointed a Data Protection Officer (DPO) to help us monitor internal compliance, inform and advise on data protection obligations, and act as a point of contact for data subjects and supervisory authorities. We have also designated an EU representative. To locate the relevant contact details, please see the Contact Us section below.
The Personal Data we collect about you
| Personal Data Category | Personal Data |
|---|---|
| Basic information | Your name (including prefix or title), gender, civil status, age and date of birth |
| Contact information | Any information you provide to us that allows us to contact you, e.g. your personal or business email address, personal or business mailing address, personal or business telephone numbers, emergency contact information |
| National identifiers | Your national ID, passport details, driving licence details, residency and work permit status, national insurance number, or other taxpayer/government identification number |
| Recruitment information | Information related to your education, work experience, references, and referees.
Information relating to education and academic achievements as well as professional qualifications. Information contained in application forms and resumes, such as education, professional qualifications, languages and other relevant skills. Information as a result of background checks (including credit checks and criminal record checks, where applicable). Information relating to interviews, including notes, audiovisual recordings, etc. |
| Financial information | Your salary, and any other compensation you provide to us as part of the recruitment process and negotiations |
| Expenses information | Where you have incurred expenses and Draig has agreed to reimburse the expenses, information included in your expense request and information needed by Draig to process such request according to its policies, e.g. locations, invoices, car licence plate number (if applicable), travel tickets |
| Audiovisual recordings | We may collect photographs, video and audio recordings of you, e.g., recording videoconference meetings, or when you upload or share your photographs and videos for recruitment purposes, if necessary |
| Opinions | Information you provide when you participate in our surveys or conversation channels |
| Special Category Personal Data | Information related to your:
ethnicity religious or philosophical beliefs health sexual life details sexual orientation |
| Criminal Convictions and Offences Data | Information related to your unspent criminal convictions and offences. |
You can decide whether to give us special categories of information if we ask you for them. If you decide not to share these with us, please be assured this does not affect your application.
You can also choose not to give us the other types of Personal Data when we ask you for them. If you decide not to give us your Personal Data, we may not be able to assess or consider your application.
If you give us the Personal Data of another person, e.g. your spouse/partner or referees, we assume you have their permission to share their data with us.
How we collect your Personal Data
We collect your Personal Data when you:
Apply for a job at Draig and participate in our recruitment process.
Interact with our Human Resources team.
Sign up to receive open job posts.
Otherwise provide it to us.
We will also collect your information through:
Recruitment agencies.
Background and pre-employment check providers.
Credit reference agencies.
Your named referees.
Social media platforms (such as LinkedIn) or other publicly available sources.
How we use your Personal Data
| Personal Data Category | Lawful Basis | Purpose |
|---|---|---|
| Basic information
Contact information Recruitment information National identifiers Audiovisual recordings Infrastructure interactions Opinions Criminal Convictions and Offences data |
Our Legitimate Interest in recruiting talent
GDPR, Article 6(1)(f) |
Recruitment
For recruitment purposes, including, but not limited to: suitability reviews (applications, CVs, interviews); maintaining recruitment records; screening, background checks, credit checks, and criminal record checks; and, sourcing references, where applicable. |
| Basic information
Contact information Recruitment information National identifiers Financial information Infrastructure interactions Special Category Personal Data (health) |
Contractual Obligation
GDPR, Article 6(1)(b) |
Successful Recruitment
For successful recruitment purposes, including, but not limited to: verification of identification documentation; collecting personal, financial, and health information to prepare for your forthcoming employment. |
| Basic information
Contact information |
Contractual Obligation
GDPR, Article 6(1)(b) |
Communication
Communicating with you and facilitate your communication with others. |
| Basic information
National identifiers Recruitment information Financial information Special Category Personal Data (health) |
Legal Obligation
GDPR, Article 6(1)(c) |
Legal Obligations
For the purposes of complying with legal, regulatory and other requirements, including, but not limited to: checking Right to Work documentation; reviewing vehicular insurance and associated documentation; complying with local employment, social security and occupational health laws and regulations; record-keeping and reporting obligations; and, complying with government inspections and other requests from government or other public authorities. |
| Basic information
Contact information Dependant information Special Category Personal Data (health) |
Vital Interest
GDPR, Article 6(1)(d) |
Vital Interest
Monitor your health in order to safeguard and protect you, or to act in your vital interest, or the vital interest of a third party. |
| Basic information
Contact information Employment information |
Consent for including your personal data in our candidate pool
GDPR, Article 6(1)(a) |
Retaining Unsuccessful Candidate Data
Retaining your candidate information in order to potentially invite you to apply for a similar role in the future. |
|---|---|---|
| Basic information
Special Category Personal Data (Ethnicity, Religious or Philosophical Beliefs, Health data, Sexual Orientation) |
Public Interest
GDPR, Article 6(1)(e) |
Equal Opportunity Monitoring
Where you are applying to Draig, we may use information about your ethnicity, religious or philosophical beliefs, health data (including any disabilities), or sexual orientation, for equal opportunity monitoring and reporting purposes. You can opt out of equal opportunity monitoring at any time by using the contact details provided in the Contact Us section below. |
Why we collect and use your Personal Data
We only process your data when we have one of the following lawful bases:
Where we have a legitimate interest to do so. It is in our legitimate interests to decide whether to appoint you as it would be beneficial to our business to appoint a suitable qualified individual for the advertised position.
Where we have a contractual obligation, or to take steps at your request to enter into a contract with you. We will only do so should you be successful in receiving a job offer.
We may need to process your Personal Data for any legal obligations, such as processing Right to Work documentation.
We may need to process your information where it is in your vital interests, or in the vital interests of a third party.
We may ask for your consent to retain your Personal Data on file for a period of twenty-four months, on the basis that a further opportunity may arise in future and we may wish to consider you for that.
If you fail to provide information when requested, which is necessary for us to consider your application, we will not be able to process your application successfully. For example, if we require references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
How we use particularly sensitive Personal Data
Special Category Personal Data
| Special Category Personal Data | Condition for Processing | Purpose |
|---|---|---|
| Health data | Employment Law GDPR, Article 9(2)(b) |
Reasonable Adjustments
We may use information about your health or disability status to consider whether we need to provide reasonable adjustments to your recruitment or interview process (e.g., if you are disabled). |
| Health data | Vital Interest GDPR, Article 9(2)(c) |
Vital Interest
To act in your vital interest, or the vital interest of a third party. |
| Ethnicity
Religious or Philosophical Beliefs Health data Sexual Orientation |
Substantial Public Interest GDPR, Article 9(2)(g) |
Equal Opportunity Monitoring
We may use information about your ethnicity, religious or philosophical beliefs, health data (including any disabilities), or sexual orientation, for equal opportunity monitoring and reporting purposes, in accordance with applicable law or best practice. You can opt out of equal opportunity monitoring at any time by using the contact details provided in the Contact Us section below. |
Criminal convictions and offences data
Depending on the jurisdiction in which you operate and on your specific role, we may collect information about your criminal convictions and offences if we offer you a position with us and you accept (conditional on checks and any other conditions, such as references, being satisfactory). We do this to satisfy ourselves that there is nothing in your criminal convictions and offences history which makes you unsuitable for the role. Our roles require a high degree of trust and integrity, and it is therefore best practice to undertake such checks and a pre-requisite in some instances.
We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our obligations and provided, we do so in line with our Data Protection Policy.
We have in place appropriate policies and safeguards which we are required by law to maintain when processing such data.
Automated Technologies and AI Use
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
As part of our ongoing efforts to improve the efficiency we may use some artificial intelligence (AI) tools that support communication and system functionalities. Some of the third-party software tools may process your personal data, such as Microsoft o365 suite of applications including Connected Experiences including the Microsoft Copilot functionality, an AI tool.
Throughout the application process, your personal data may be processed within the Microsoft office 365 suite of applications. This processing is carried out in accordance with Microsoft’s privacy and security standards. For more information about how Microsoft may process your personal data, see the Microsoft privacy statement which can be accessed here: Microsoft Privacy Statement – Microsoft privacy. If you have any questions or concerns about this processing, please contact our Data Protection Officer on the contact email address set out in the ‘Contact us’ section.
Our use of AI tools for processing your personal data is carried out on the basis of our Legitimate Interests. We balance our interests against your data protection rights and apply appropriate safeguards to protect your personal data.
Who we might share your information with
We will only share your Personal Data with the following third parties for the purposes of processing your application:
- Recruitment agencies.
- Our HR management and recruitment system.
- Parties, such as other teams, Consultants or third-party service providers involved with pre-employment checks, VISA applications, and so on.
- Our IT Service Providers, such as Microsoft Corporation.
All our third-party service providers are required to take appropriate security measures to protect your Personal Data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organization apart from us or further sub-processors who must comply with our Data Processor Agreement. They will hold your Personal Data securely and retain it for the period we instruct.
How long we keep your information for
We will retain your Personal Data for no longer than twelve (12) months after we have communicated to you our decision about whether to appoint you. We retain your Personal Data for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your Personal Data in accordance with our data retention policy and relevant Data Protection Legislation.
If we decide to keep your information for potential future opportunities, we will contact you to request your consent to retain it for a further period. If we do not contact you twenty-four (24) months after the end of your last application, we will delete the data. You have the right to withdraw your consent for processing for this purpose at any time. To withdraw your consent, please contact us as set out below.
Your Privacy Rights
You have the following rights:
You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
Request access to your personal data (commonly known as a ‘data subject access request’), to receive a copy of the personal data we hold about you and to check it is being lawfully processed. We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data.
If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date. You can request correction of the personal data that we hold about you.
You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation.
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For example, where we have no good reason for us to continue to process it, or where you have exercised the right to object to processing. However, the right to erasure does not apply where we have a legal obligation to retain your personal data.
You have the right to request that we restrict the processing of your personal data, for example if you want us to suspend processing of certain data to establish its accuracy or the reason for processing it. The right is not absolute and only applies in certain circumstances.
You have the right to request the transfer of your personal data to another controller. This right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format.
You have the right to object to our processing where a decision is made about you solely based upon automated processes and which has significant or legal effects. Draig does not intend to conduct any automated decision-making for your Personal Data.
If you wish to exercise any of the rights set out above, please contact us.
Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body. You can find your country’s regulatory body here: https://edpb.europa.eu/about-edpb/about-edpb/members_en. If you have any questions about which supervisory authority applies in your jurisdiction, please contact us using the contact details set out in the Contact Us section as set out below.
In the UK, the Information Commissioner's Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website, which you can access here: For the public | ICO.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
Providing Draig with other people's data
If you give us any Personal Data that does not relate to you (e.g., Personal Data about another candidate), you must ensure that you have the required legal basis to collect and share such Personal Data. You must also tell them what Personal Data you have given to us, and make sure they agree we can use it as set out in this privacy notice. You must also tell them how they can see what information we have about them and correct any mistakes.
Data Security
Data security is of great importance to Draig. We have put in place appropriate technical and organizational measures to prevent your Personal Data from being accidently lost, used, or accessed in an unauthorized way, altered, or disclosed.
We take security measures to protect your information including:
- Limiting access to our buildings and resources to only those that we have determined are entitled to be there (by use of passes, key card access and other related technologies).
- Managing a data security breach reporting and notification system which allows us to monitor and communicate information on data breaches with you or with the applicable regulator when required to do so by law.
- Implementing access controls to our information technology.
- As required, deploying appropriate procedures and technical security measures (including strict encryption, anonymization and archiving techniques) to safeguard your information across all our computer systems, networks, websites, mobile apps, offices, and stores.
International Transfers
Draig uses service providers in multiple countries. Therefore, we may need to transfer and use your Personal Data outside of the country where we collect it from you. We implement appropriate measures to protect your Personal Data when we transfer your Personal Data outside of your home country. This includes appointment of the EU representative to handle local data queries, as well as having appropriate agreements in place to protect your data, such as data transfer agreements that incorporate standard data protection clauses.
You can request a copy of the standard contractual clauses we use from our DPO using the contact details in the Contact Us section below.
What happens if our business changes hands
We may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Notice, be permitted to use that data only for the purposes for which it was originally collected by us.
Links to Other Websites
Our careers portal and recruitment pathway may contain links to websites or mobile applications we do not own or control. Our Privacy Notice does not cover this processing. Please read the privacy notices on those websites and mobile applications if you would like to find out how they collect, use and share your Personal Data.
Changes to This EU and UK Candidate Data Privacy Notice
This EU and UK Candidate Data Privacy Notice is effective as of 09 February 2026 and will remain in effect except with respect to any changes in its provisions in the future, which will be in effect immediately after being posted on this page.
We reserve the right to update or change our Privacy Notice at any time and you should check this Privacy Notice periodically. Your continued use of the website after we post any changes to the Privacy Notice on this page will constitute your understanding of these changes.
Contact Us
If you would like to exercise one of your rights as set out above, or you have a question or a complaint about this Privacy Notice or the way your Personal Data is processed, please contact our Data Protection Officer (DPO) by one of the following means:
By email: dpo@draigtherapeutics.com
By telephone: +44 (0) 203 979 1289
By post: Draig Therapeutics, Sbarc | Spark, Maindy Road, Cardiff, CF24 4HQ, Wales
To contact the EU Representative please use email: eurep@draigtherapeutics.com
Glossary
“Data Controller” means the person or organisation that determines how and why your data is being collected and used.
“Personal data” refers to any information relating to an identified or identifiable natural person, whether that information can be used alone or in conjunction with other information to identify a natural person.
“Process” (or “Processing”) means any operation or set of operations which is performed on personal data or sets of personal data, whether by automated means, such as collection, use, and erasure. Thank you for taking the time to read our privacy notice.
Thank you for taking the time to read our notice.