Job application privacy policy

Deriv Group of companies (hereafter referred to as 'the Company' and 'It') is committed to protecting the privacy and security of the applicant's personal information. This privacy notice sets out the types of data that the Company collects on the applicant. It also sets out how the Company collects and uses the applicant's personal data, how long it keeps them, and other relevant information about the applicant's data in accordance with the General Data Protection Regulation (EU) 2016/679 (hereafter referred to as 'GDPR') and Data Protection Act 2018.

This privacy notice only applies to job applicants residing in the EU.

The Company is required under data protection legislation to notify the applicant of the information contained in this privacy notice. As such, it is important that the applicant read this notice, together with any other privacy notice that the Company may provide for the applicant on specific occasions when the Company is collecting or processing personal data about the applicant, so that the applicant is aware of how and why the Company is using such information.


The following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

'Data Protection Act (DPA)' shall mean Data Protection Act 2018, Chapter 440 of the Laws of Malta.

'GDPR' shall mean EU General Data Protection Regulation 2016/679.

'Processing' shall mean any operation which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, restriction, erasure, or destruction, etc.

Types of personal data collected

The Company collects, stores, and processes a range of information about the applicant, including but not limited to the following:

  • The applicant's personal details, including name, address, date of birth, nationality, gender, and contact details, comprising email address and telephone number
  • The applicant's qualifications, skills, education, experience, and employment history
  • Details of the applicant's current level of remuneration, including entitlement to benefits such as pensions or insurance cover, if applicable
  • Information about the applicant's medical or health conditions, including whether or not the applicant has a disability for which the Company needs to make reasonable adjustments

The Company may collect this information in a variety of ways. Data is collected and contained in CVs or resumes, cover letters, and identity documents, via Self-Assessment Topgrading Questionnaires/Interview (SATI), or through interviews or other forms of assessment, including online tests.

The Company may also collect personal data about the applicant from third parties, such as further references supplied by former employers and information from criminal records checks permitted by law.

Data will be stored in a range of different places, including on the applicant's application record, in HR management systems, and on other IT systems (including email).

Purpose of collecting personal data

The Company typically collects and processes the applicant's personal data for the purposes of the legitimate interests that It pursues. Here are some examples of such interests:

  • Making decisions about who to employ and what salary and benefits to offer
  • Making any reasonable adjustments for disabled employees
  • Responding to and defending against legal claims

The Company also collects and processes the applicant’s data to decide whether to enter into a contract with the applicant.

In some cases, the Company needs to process the applicant’s personal data to comply with the Company’s legal obligations, for example conducting necessary checks in relation to the right to work in a specific jurisdiction.

The applicant is under no statutory or contractual obligation to provide data to the Company during the recruitment process. However, if the applicant chooses not to provide any necessary information, the Company may not be able to proceed with their application.


The Company shall ensure the confidentiality of all personal data provided by the applicant at all times and is protected against any accidental loss or disclosure, destruction, and abuse. The Company shall also ensure that such personal data is only processed and stored as necessary for the purposes specified in this privacy policy and all applicable Data Protection Laws.

The Company shall further disclose information about the applicant internally within the Deriv Group of companies for the purpose of the recruitment exercise. The Company shall ensure that a data-sharing agreement is in place and that the applicant's data is held securely and in line with GDPR requirements. The Company shall further disclose information about the applicant when It is legally obligated to do so.

Data retention

The applicant's personal data shall be stored for a period of six months after the end of the relevant recruitment process if the applicant is unsuccessful in their job application or if they have declined an offer of employment with the Deriv Group of companies. At the expiry of that period, the applicant's data is deleted or destroyed unless the Company is required to further retain the applicant's information to exercise or defend any legal claims.

If the applicant's application is successful and an offer of employment with the Company is accepted, the applicant's data will be retained until the cessation of their employment. In this case, a separate privacy policy for employees will be made available to the applicant.

Applicant's rights

In light of the EU General Data Protection Regulation 2016/679 and the Data Protection Act 2018, the applicant is entitled to the following rights with regards to the applicant's personal data:

  • The right to be informed of the use of their personal data, as reflected in this privacy policy
  • The right to request access to their data from the Company
  • The right to rectify their personal data if the Company holds any information about the applicant that is incomplete or inaccurate
  • The right to delete their personal information, subject to the data retention practice of the Company

The applicant also has the right to restrict the further processing of their personal data.

In some circumstances, the applicant has the right to data portability, which is the right to request a copy of their personal data in a digital format and, where possible, ask the Company to transfer it to another company.

The applicant has the right to lodge a complaint to the Data Protection Commissioner in Malta if the applicant believes that the Company has failed to comply with the requirements of EU General Data Protection Regulation 2016/679 or the Data Protection Act 2018 with regards to the applicant's personal data.

Automated decision-making

The applicant will not be subject to any recruitment decisions based solely on automated decision-making that will have a significant impact on the applicant.

Changes to this privacy policy

The Company reserves the right to update this privacy policy at any time and will provide the applicant with a new privacy policy when substantial amendments and updates are made. The Company may also notify the applicant in other ways from time to time about the processing of the applicant's personal information.

If the applicant has any questions about this privacy policy or if the applicant would like to exercise any of their rights, they should contact the Company's Data Protection Officer (DPO) by emailing [email protected].