Candidate Privacy Policy

1. General Provisions

This Candidate Privacy Policy (the “Policy”) describes how EPC Network (the “Company”) collects, uses, stores, and protects personal data provided by candidates in the course of recruitment and hiring processes.

EPC Network acts as the Data Controller of personal data processed under this Policy.

For any questions regarding the processing of personal data, candidates may contact the Company at: hr@epcnetwork.io.

This Policy applies to candidates located in the European Union, the European Economic Area, Ukraine, and other jurisdictions where applicable data protection laws apply.

The Company processes personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable Ukrainian data protection legislation.

2. Categories of Personal Data Processed

During the recruitment process, the Company may process the following categories of personal data:

• Full name and identification details;
• Contact information (email address, phone number, location);
• Information contained in CVs/resumes (education, professional experience, qualifications, skills, references);
• Cover letters;
• Information obtained during interviews and evaluation processes;
• Results of test assignments or professional assessments (where applicable);
• Any other information voluntarily provided by the candidate.

The Company does not intentionally collect or process special categories of personal data (such as health data, religious beliefs, or political opinions), unless required by law.

3. Purposes of Processing

Personal data is processed strictly for the following purposes:

• Reviewing and assessing the candidate’s application;
• Conducting interviews and evaluating professional suitability;
• Making hiring decisions;
• Maintaining a talent pool (subject to separate consent);
• Complying with applicable legal obligations.

Personal data is not used for marketing purposes and is not shared beyond the scope defined in this Policy.

4. Legal Bases for Processing

The Company processes personal data on the following legal bases:

• The candidate’s consent;
• The necessity to take steps prior to entering into an employment contract;
• Compliance with legal obligations;
• The Company’s legitimate interest in ensuring fair and transparent recruitment processes and protecting its legal rights, where permitted by applicable law.

5. Data Retention Period

If a candidate is not hired, personal data will be retained for 12 (twelve) months following the completion of the relevant recruitment process.

If the candidate provides separate consent to be included in the Company’s talent pool, personal data may be retained for up to 24 (twenty-four) months.

After the applicable retention period expires, personal data will be deleted or anonymized unless further retention is required by law or necessary to protect the Company’s legitimate interests.

6. Disclosure to Third Parties

Personal data may be shared with:

• Employees of the Company involved in the recruitment process;
• HR and IT system providers supporting recruitment operations;
• External consultants or contractors assisting in recruitment activities;
• Public authorities where required by law.

Data is shared strictly on a need-to-know basis and subject to appropriate confidentiality and security measures.

Where personal data is transferred internationally, the Company ensures that appropriate safeguards are implemented in accordance with GDPR requirements.

7. Candidate Rights

Candidates have the right to:

• Access their personal data;
• Request correction of inaccurate or outdated data;
• Request deletion of personal data where no legal basis for processing exists;
• Restrict processing in legally defined circumstances;
• Withdraw consent at any time;
• Lodge a complaint with a competent data protection authority.

Requests to exercise these rights may be submitted to the contact email provided in Section 1.

8. Withdrawal of Consent

Candidates may withdraw their consent to the processing of personal data at any time.

Withdrawal of consent does not affect the lawfulness of processing carried out prior to such withdrawal.

9. Data Security

The Company implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.

Access to personal data is limited to authorized personnel who require such access to perform their duties.

10. Updates to This Policy

The Company reserves the right to amend this Policy. The updated version will be published on the Company’s official resources and becomes effective upon publication.