Processing of (personal) data by the entity in charge of the online application process

GNOSIS

Recruitment Privacy Notice

Last updated on 6 February 2026

1. General

This privacy notice applies to all personal information processing activities carried out by Gnosis Ltd. in relation to recruitment. This policy sets out what personal data we collect and how we process it when you apply for employment with Gnosis.

We do not collect, use or process personal data without an appropriate legal basis or without your express consent (which may also be given electronically). Consent, which has been given, may be revoked by you at any time with effect for future use.

“Personal data and personal information” means any information relating to you as an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity.

2. What categories of personal information we collect.

We maintain certain personal information about you as part of our recruitment process. This includes:

· your address

· personal email address

· personal phone number

· date and place of birth

· educational history

· employment history

· training certification and records

· portfolio

· curriculum vitae and any information contained in a covering letter

· details of previous salary and benefits

· employment or character references

· visa status

· salary expectations

· other information obtained during the interview process

3. How do we collect this information?
We may have become aware of this information in a number of ways - directly from you at the commencement of or during the course of the recruitment process, our assessment and interview process, publicly available sources and from third parties such as recruiters - we will receive and/or retain it in various formats (in writing, electronically, verbally or otherwise).

4. Why do we process this information?

We have identified the specific legal bases for processing your personal data as detailed below. For each category of processing, we have defined the underlying purpose and mapped it against the corresponding lawful basis to ensure full transparency.

We collect and process personal data for a variety of reasons, such as:

(a) Contractual necessity – your Personal Data will be processed in order to take steps, at your request, prior to entering into a contract;

(b) Legal Obligation – we are required by law to collect and process certain personal information;

(c) Legitimate interests – we may collect and process your personal data where it is in our legitimate interests to do so and without prejudicing your interests or fundamental rights or freedoms. We have conducted the necessary balancing tests for these activities, and you may obtain details of these upon request; and

(d) Consent - you have given your explicit consent for us to process your Personal Data for specific purpose(s).

The text below specifies the purposes for which we use your information and the legal basis relied upon for each:

Purpose of Processing – To consider and check qualifications and suitability for the role

Categories of Personal Data – CV, transcripts, professional certifications

Lawful Basis – Legitimate Interests: Our interest in ensuring we hire qualified candidates for the benefit of the organisation.

Purpose of Processing – To communicate with you regarding your application

Categories of Personal Data – Name, email address, phone number

Lawful Basis – Contractual necessity: Taking steps at your request prior to a contract.

Purpose of Processing – To consider your employment history and experience

Categories of Personal Data – Employment records, references, LinkedIn profile

Lawful Basis – Legitimate Interests: Necessary to assess professional suitability for the position.

Purpose of Processing – To comply with record keeping and other obligations prescribed by law

Categories of Personal Data – Right-to-work documents, tax identifiers

Lawful Basis – Legal Obligation: Mandatory statutory requirements.

Purpose of Processing – To retain your data on file for future opportunities if your current application is unsuccessful

Categories of Personal Data – Application history, contact details, interview notes

Lawful Basis – Consent: You may choose to provide explicit consent during the application process for this specific purpose.

5. Where do we store and how do we ensure your data is safe?

We store your personal information electronically with restricted access.

Our staff dealing with recruitment matters control the storage of your personal data records. We have security measures in place, which will ensure the confidentiality of the information contained. These measures will be reviewed over time and upgraded in line with technological developments and legal requirements.

6. How long do we record your data for?

We retain your information only for as long as is necessary for the purposes for which we process the information as set out in this policy. Records can be held on a variety of media (physical or electronic) and formats.

Retention periods are determined based on the type of record, the nature of the record and activity and the legal or regulatory requirements that apply to those records.

Generally speaking, we will keep your data for a period of 6 months from the date of the conclusion of the recruitment process with you. However, if you commence employment with us, the provisions of our employee privacy policy apply and personal data may be processed in accordance with that policy.

If you are an unsuccessful candidate you may in any event wish to retain your data on file in case of further opportunities that may arise with us in the future, in this case you can give your consent within the application process.

7. Our obligations to keep your data accurate and up to date

We are required to keep any data we hold accurate and up to date. You have a right to rectification (see below).

8. How we share your personal data

Who do we disclose it to?

a) Gnosis group of companies, business partners, administration centres, third parties, agents or independent contractors and other associated organisations that provide services to any member of Gnosis Group (such as IT systems providers, platform providers, financial advisors, brokers, consultants (including lawyers and accountants)

b) Government or law enforcement bodies

c) Third party service providers

d) A potential buyer, transferee, merger partner or seller and their advisers in connection with an actual or potential transfer or merger of part or all of Gnosis’s business or assets

9. Transferring your Personal Data outside of the European Economic Area (“EEA”), the United Kingdom or Gibraltar

For Personal Data subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”) or the Data Protection Act 2004 (as amended) (“DPA”) we may transfer your Personal Data outside of the UK, EEA or Gibraltar for the purposes described above. This may include countries that do not provide the same level of protection as the laws of your home country. We will ensure that any such international transfers are made subject to appropriate or suitable safeguards if required by GDPR, UK GDPR, DPA or other relevant laws such as Standard Contractual Clauses. You may contact us at any time using the contact details below if you would like further information on such safeguards.

10. Your Rights

Right to request access

You have a right to obtain information regarding the processing of your Personal Data and access to information we hold about you. We are happy to provide you with details of your Personal Data that we hold or process. Please note that there may be circumstances in which we are entitled to refuse requests for access to copies of personal information, (in particular, information that is subject to legal professional privilege). We may request that you prove your identity in order for us to comply with our security obligations and to prevent unauthorised disclosure of data. We reserve the right to charge you a reasonable administrative fee for any manifestly unfounded or excessive requests concerning your access to your data and for any additional copies of the Personal Information you request from us.

The right to rectification

You have the right to have any inaccurate personal information about you rectified and to have any incomplete personal information about you completed. You may also request that we restrict the processing of that information.

The right to erasure

You have the general right to request the erasure of your personal information.

We will proceed to comply with an erasure request without delay unless continued retention is necessary.

The right to restrict processing

You have the right to restrict the processing of your personal information under certain circumstances.

The right to object to processing

You have the right to object to processing of your personal information under certain circumstances.

The right to data portability

Where the legal basis for our processing is your consent or is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, you have a right to receive the personal information you provided to us in a portable format and port this to another controller.

The right to complain to a supervisory authority

If you wish to raise a complaint on how we have handled your Personal Data, you can contact us using the contact details below and we will then investigate the matter. If we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you are entitled to make a complaint to the Data Protection Commissioner under the Data Protection Act, which is currently the Gibraltar Regulatory Authority (GRA). You may contact the GRA on the below details:

Gibraltar Data Protection Commissioner, Gibraltar Regulatory Authority, 2nd Floor, Eurotowers 4, 1 Europort Road, Gibraltar. Email: info@gra.gi. Phone: (+350) 200 74636. Fax: (+350) 200 72166.

You may also have the right to lodge a complaint with the supervisory authority in the country of your habitual residence, place of work, or the place where you allege an infringement of one or more of your rights has taken place.

The right to withdraw consent

Where the legal basis for processing your personal information is your consent, you have the right to withdraw that consent at any time. In certain circumstances it may be lawful for us to continue processing without your consent if we have another legitimate reason (other than consent) for doing so, such as where we need to administer a contract with you or to comply with our legal obligations.

11. Updates to this Privacy Notice

This Privacy Notice was last updated on the date stated above. We reserve the right to update and change this Privacy Notice from time to time, for example, in order to reflect any changes to the way in which we process your Personal Data or changing legal requirements. In case of any such changes, we will post the updated Privacy Notice on our website or publish it otherwise. The changes will take effect as soon as they are posted on our website.

12. Contact and further information

If you would like a copy of the Personal Data or wish to exercise any of your Data Subject Rights as set out in this Notice, or if you have any questions regarding this Notice or generally about the way we handle your Personal Data please contact:

Gnosis Limited a company incorporated in Gibraltar with registration number 115571 and with its registered address at World Trade Center, 6 Bayside Road, Gibraltar. Email: dataprotection@gnosis.io

Gnosis has appointed Bird & Bird DPO Services SRL as a Data Protection Officer (DPO), and the DPO may be reached:

by using the following email: DPO.GnosisPay@twobirds.com
by mail at the following address: Bird & Bird DPO Services SRL, Avenue Louise 235 b 1, 1050 Brussels, Belgium

Processing of (personal) data by the operator of the recruitment website

General information

This recruitment website is operated by Personio SE & Co. KG, which offers a human resource and candidate management software solution (https://www.personio.com/legal-notice/). Data transmitted as part of your application will be transferred using TLS encryption and stored in a database. The sole controller of this data within the meaning of article 24 of the GDPR is the enterprise carrying out this online application process. Personio’s role is limited to operating the software and this recruitment website and, in this context, being a processor under article 28 of the GDPR. In this case, the processing by Personio is based on an agreement for the processing of orders between the controller and Personio. In addition, Personio SE & Co. KG processes further data, some of which may be personal data, to provide its services, in particular for operating this recruitment website. We will refer to this in more detail below.

The controller

The controller under data protection law is:
Personio SE & Co. KG
Seidlstraße 3
80335 München
Tel.: +49 (89) 1250 1004
Entry in the commercial register
Commercial register entry number: HRA 115934
Registration Court: Amtsgericht München
Data Protection Officer contact: privacy@personio.com

Access logs (“server logs”)

Each access to this recruitment website automatically causes general protocol data, so-called server logs, to be collected. As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. Without this data, it would, in some cases, be technically impossible to deliver or display the contents of the software. In addition, processing this data is absolutely necessary under security aspects, in particular for access, input, transfer, and storage control. Furthermore, this anonymous information can be used for statistical purposes and for optimizing services and technology. In addition, the log files can be checked and analyzed retrospectively when unlawful use of the software is suspected. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. Generally, data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp of the access to the software is collected. The scope of this log process does not exceed the common log scope of any other site on the web. These access logs are stored for a period of up to 7 days. There is no right to object to this.

Error logs

So-called error logs are generated for the purpose of identifying and fixing bugs. This is absolutely necessary to ensure we can react as quickly as possible to possible problems with displaying and implementing content (legitimate interest). As a rule, this data is a pseudonym and thus does not allow for inferences about the identity of an individual. The legal basis for this is §25 subsection 2 Sentence 2 TDDDG. When an error message occurs, general data such as the domain name of the website, the web browser and web-browser version, the operating system, the IP address, as well as the timestamp upon occurrence of the respective error message and/or specification is collected. These error logs are stored for a period of up to 7 days. There is no right to object to this.

Use of cookies

So-called cookies are used on parts of this recruitment website. They are small text files which are stored on the device with which you access this recruitment website. As a general rule, cookies serve the purpose of ensuring secure access to a website (“absolutely necessary”), implementing certain functionalities such as standard-language settings (“functional”), improving the user experience or the performance of the website (“performance”), or placing targeted advertisements (“marketing”). On this recruitment website, we generally use only cookies that are absolutely necessary, functional or performance-related, in particular for implementing certain default settings such as language, for identifying the job advertising channel, or for analyzing the performance of a job advert via which a user accessed this recruitment website. The use of cookies is absolutely necessary for providing our services and thus for the performance of the contract (article 6 (1) b) of the GDPR). Period of storage: up to 1 month or until the end of the browser session Right to object: You can determine via your browser settings whether you allow or object to the use of cookies. Please note that deactivating cookies may result in limited or completely blocked functionalities of this recruitment website.

Rights of data subjects

If Personio SE & Co. KG as the controller processes personal data, you as the data subject have certain rights under Chapter III of the EU General Data Protection Regulation (GDPR), depending on the legal basis and the purpose of the processing, in particular the right of access (article 15 of the GDPR) and the rights to rectification (article 16 of the GDPR), erasure (article 17 of the GDPR), restriction of processing (article 18 of the GDPR), and data portability (article 20 of the GDPR), as well as the right to object (article 21 of the GDPR). If the personal data is processed with your consent, you have the right to withdraw this consent under article 7 III of the GDPR. To assert your rights as a data subject in relation to the data processed for the purpose of operating this recruitment website, please refer to Personio SE & Co. KG’s Data Protection Officer (see item B).

Concluding provisions

Personio reserves the right to adjust this data privacy statement at any point in time to ensure that it is in line with the current legal requirements at all times, or in order to accommodate changes in the services offered, for example when new services are introduced. In this case, the new data privacy statement applies to any later visit of this recruitment website or any later job application.