Candidate notice

This Candidate Notice applies to the processing of Candidates’ Personal Data by the Company through recruiting activities, job applications and job vacancy advertisements in accordance with Regulation (EU) 2016/679 (GDPR).

This Candidate Notice does not apply to the processing of applicants’ data after they are hired and during their employment.

This Candidate Notice applies to any and all forms of use of Personal Data for a current, former or prospective Candidate of any of the Company employing entities.

In order to manage Candidates, the following categories of Personal Data are processed:

The Company will not require you to provide sensitive Personal Data, except to the extent that the collection of such information is required under applicable law. Sensitive Personal Data, also known as special categories of data (article 9 of GDPR), means “Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”.

When processing an application, the Company does not use automated decisions based on Personal Data. When the Company verifies a Candidate’s professional data by contacting the Candidate’s references or other third parties, the Candidate is responsible for making sure that before providing Personal Data about other individuals to the Company, they let them know that they will be sharing their identification and contact data with the Company.

The legal grounds for processing the collected Personal Data applicable to Candidates are:

Personal Data collected is processed internally only by duly authorised and informed persons, within the scope of the recruitment process.

The Company will not pass on or sell Personal Data to third parties for their own marketing purposes.

The Company shares Personal Data externally only in the following cases:

• Customers or trusted partners that work with the Company and require identity data and contact data for operations, business development, selling and support purposes
• Service providers to assist the Company in managing our website:
  • Starion Group SA, a sister company to Nexova Group SA (marketing and website management)
  • Full Fat Things (website management, design and hosting)
  • Hetzner Online GmbH (website hosting)
  • Mailchimp (email management)
  • CookieBot (cookie management)
• Starion Group, being a sister company of Nexova Group, to offer Nexova candidates new employment opportunities in future within Starion Group
• Professional consultants and advisers including public relations firms, market research and consulting companies, lawyers, bankers, auditors, consultants and insurers.
• Regulators and other authorities who require reporting of processing activities in certain circumstances namely:
  • To comply with Nexova’s legal obligations
  • To exercise Nexova’s legal rights (e.g. pursue or defend a claim)
  • For the prevention, detection and investigation of crime.

Depending on the situation, these recipients sign a written contract with Nexova distinguishing between different types of roles:

• Data (sub-)Processor: this is the person/entity who processes the data on behalf of the Company and according to the Company’s documented instructions
• Joint Data Controllers: Nexova jointly determines with a client/provider the purposes and means of processing; they determine their respective responsibilities for compliance in specific privacy clauses
• Independent Data Controllers: each party is acting as a separate Data Controller, respecting the duties and responsibilities of a Data Controller according to GDPR.

On the basis of specific agreements, the Company ensures compliance with the instructions and measures put in place for data processing.

If an international transfer of information involving Personal Data is needed, Nexova ensures that there are appropriate safeguards in place to ensure the safety and integrity of Personal Data through the following measures:

• Binding corporate agreements which give Personal Data the same protection it has in the European Economic Area (EEA)
• Standard contractual clauses approved by the European Commission for international transfer of Personal Data outside the EEA into contracts with those third parties, or the country in which personal information will be processed has been deemed ‘adequate’ by the European Commission
• European Data Protection Board opinions on the European Commission Implementing Decision on the adequate protection of Personal Data under the EU-US Data Privacy Framework.

When a Candidate submits an application via the Company website, the data is processed by Hetzner Online Gmbh, one of Nexova’s Data Processors, whose servers are located in Germany.

The Personal Data of Candidates is stored and kept by Starion Group SA, a sister company of Nexova offering corporate services, on servers located in Belgium within the Recruitment private SharePoint site with proper access restrictions. The Personal Data of Candidates is also stored and kept in 'TalentHub', a customised solution based on Microsoft Power Apps.

If the application is successful, the Company retains each Candidate’s Personal Data as part of its employee records.

If the application is unsuccessful, the Company retains each Candidate’s Personal Data for 7 years or until withdrawal of consent. Data is retained for contacting the Candidate regarding future employment opportunities (in both Nexova and its sister company Starion Group) and for our legitimate business purposes (for example to make sure we do not contact an individual about a role they have already applied for).

Personal Data submitted for subscription to the Company’s Careers newsletter is held up to the time that a person unsubscribes, i.e. when they withdraw consent to receive weekly updates on open positions.

Personal Data submitted for an open application is held for 7 years or until consent is withdrawn.

The consent to process Personal Data according to this Candidate Notice is collected and recorded either by signing this notice digitally/in paper or by clicking the checkbox of consent in the online job/open application form, declaring to have read and accepted it.

Candidates are made aware of this Candidate Notice on the Company website when they directly send their Personal Data to the Recruitment Team without completing the website job/open application form.

The Company employees make Candidates aware of this Candidate Notice when they provide the Recruitment Team with a Candidate’s data via the referral form.

The Company ensures security of processing (Article 32 of GDPR) by implementing appropriate technical and organisational measures to ensure an appropriate level of security. When assessing the appropriate level of security, the Company will take into consideration:

• Risks presented by processing: accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed (data breach)
• State of the art of security measures, costs of implementation of new security measures
• Nature, scope, context and purposes of processing
• Risk of varying likelihood and severity for the rights and freedoms of individual people.

Details of specific technical measures are available by sending an email to privacy [at] nexovagroup.eu (privacy[at]nexovagroup[dot]eu).

Website users have the following Data Subjects’ rights with regard to their Personal Data:

• Right of access (Article 15): request access to all Personal Data processed
• Right of rectification (Article 16): ask that any Personal Data that is inaccurate is corrected free of charge
• Right to withdraw consent (Article 7): withdraw earlier given consent for processing Personal Data
• Right of deletion (Article 17): request deletion of Personal Data if it is no longer required in light of the purposes outlined in this policy or if the consent to process them is withdrawn
• Right of limitation (Article 18): ask to limit the processing of Personal Data if and when: a) the Data Subject contests the accuracy of that data; b) the processing is illegitimate; or c) the data is no longer needed for the purposes listed but the Data Subject needs it to defend themselves in judicial proceedings
• Right of portability (Article 20): receive the Personal Data in a structured, commonly used and machine-readable format and, where technically feasible, directly transmit that data to another organisation
• Right to object to automated processing, including profiling (Article 21): object to be subject to the legal effects of automated processing or profiling.

To exercise one or more of the rights listed above, Data Subjects should send an email to privacy [at] nexovagroup.eu (privacy[at]nexovagroup[dot]eu).

The Data Protection Officer will promptly inform the Data Subject of having received this request. If the request proves valid, the Company will process it within 30 days of having received the request. If Data Subjects are unsatisfied with the response, they are free to file a complaint with the competent data protection authority.

We reserve the right to change our Candidate Notice at any time. On this page you will always find the most recent version. If the new Candidate Notice affects the way in which we process data relating to you that has already been collected, we will notify you by email.

This Candidate Notice was last reviewed and updated in April 2025.

Jurisdiction: Belgium

Country-specific legal requirement:

The Company is entitled to rely on ‘soft opt-in’ consent in respect of certain marketing messages that the Company wishes to send to website users. In all other e-marketing circumstances, active ‘opt-in’ consent is required by law and the Company is required to keep records of each specific consent provided by users.

Note: this section will be updated when local implementing law shall be finalised