Job applicant privacy notice (GDPR)

Last updated: 16 January 2026

1. Who We Are and Scope of This Notice

This Job Applicant Privacy Notice (the “Notice”) explains how QUANLOOP EUROPE LIMITED, a company incorporated under the laws of the Republic of Cyprus with Registration No. ΗΕ 458279, having its registered office at 131 Gladstonos Street, Kermia Court, 1st Floor, 3032 Limassol, Cyprus (“Quanloop”, “we”, “us”, or “our”), processes personal data about job applicants and candidates and individuals who participate in assessments and subscribe to job alerts or join our talent pool.

For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), Quanloop is the Data Controller of the personal data collected through this Site and our recruitment processes. This means that we determine the purposes and means of the processing of your personal data.

This Notice shall apply to recruitment for roles within the European Union, primarily in Cyprus, Estonia, and Hungary, and any other Member State where we may conduct recruitment operations. 

2. What Personal Data We Collect

We collect only the personal data necessary for recruitment purposes. The categories of data we may collect include:

  • Identification and contact information: name, email address, telephone number, city/country of residence.
  • Career profile: CV/résumé, cover letter, skills, work history, education, qualifications, portfolio links, GitHub, LinkedIn, or other professional profiles.
  • Recruitment process data: interview and assessment scheduling details, interviewer notes, communications with you (including emails), application status and outcomes.
  • Assessments: results and reports from technical, aptitude, or similar tests (where used).
  • Right-to-work and background checks: For all roles, we verify identity and eligibility to work. Where lawful and proportionate, we may conduct additional checks (e.g., criminal record, credit checks) for specific roles and jurisdictions, usually at offer stage.
  • Referrals and agency submissions: contact details of referrers or recruitment agencies and any notes they provide.
  • Website and consent logs: application timestamps, IP address, device metadata, cookie/consent preferences, email subscription and unsubscribe events.
  • Optional diversity and equal-opportunity data (special category data): If you choose to provide it, we may collect self-identification data on protected characteristics aligned with EU and national laws, including gender, age range, disability status, ethnic or racial origin, sexual orientation, and optionally family status (e.g., marital or parental responsibilities) to monitor potential barriers to employment. This data is voluntary, processed with your explicit consent, kept separate from selection decisions, and used in aggregate form only for monitoring and reporting purposes.
  • Reasonable accommodation: information you provide about accessibility or health-related needs (e.g., adjustments required during the application process) so we can support you effectively.

Please note: Avoid including special-category or other sensitive data unless we specifically request it for the purposes described above.

3. How We Collect Your Data

We collect personal data directly from you via email to [email protected] or web form (if enabled), including any voluntary self-identification for equal-opportunity monitoring or reasonable accommodation requests.

We may also collect data from the following sources:

  • Referrers or recruitment agencies acting on your instruction or under written contract with us;
  • Assessment or screening providers engaged by us;
  • Public professional sources you have shared with us (e.g., LinkedIn, GitHub); and
  • Our corporate email and collaboration systems used during the recruitment process.

4. Why We Use Your Data and Our Lawful Bases

We process your personal data for the following purposes and legal bases under GDPR:

  • To evaluate and progress your application: We assess your suitability, arrange interviews, make recruitment decisions, and issue employment offers. This processing is necessary to take steps at your request prior to entering into a contract (Article 6(1)(b)).
  • Talent pool and job alerts: We maintain a talent pool and send job alerts to those who opt in. The legal basis for this processing is your consent (Article 6(1)(a)). You may withdraw your consent at any time by emailing [email protected] or clicking “unsubscribe” in any job alert email.
  • To operate, secure, and improve the careers site: We operate the Site, prevent abuse, detect fraud, maintain logs, defend legal claims, and improve our recruitment processes. This processing is based on our legitimate interests (Article 6(1)(f)). We balance these interests against your rights and freedoms.
  • To meet legal obligations: We comply with legal requirements, including right-to-work verification at offer/onboarding stage and equality reporting where required by law. The legal basis is legal obligation (Article 6(1)(c)).
  • To process special-category data (if provided): We process special-category data for equal-opportunity monitoring and reasonable accommodations in recruitment. The legal bases are explicit consent for equal-opportunity monitoring (Article 9(2)(a)) and employment, social security, and social protection law for reasonable accommodations in recruitment (Article 9(2)(b)).

5. Cookies and Analytics

We process cookies in accordance with the ePrivacy Directive 2002/58/EC (as transposed into the applicable national cookie laws) and GDPR. Non-essential cookies are placed on your device only after you have provided explicit consent. Google Analytics is configured with IP masking and limited data retention. For full details and to change your preferences at any time, please see our Cookie Policy.

6. Who We Share Your Data With

As we operate as a group with offices in Cyprus, Estonia, and Hungary, your personal data may be shared with our subsidiaries or branches to facilitate the recruitment process. Where an application is submitted for a role in any Member State, your data will be accessible by the hiring team in the relevant jurisdiction and the HR team based in our headquarters in Cyprus. Quanloop acts as the lead contact point for all data protection matters within the group.

We also share your personal data with the following recipients:

  • Internal recipients: Authorised Quanloop hiring managers, interviewers, HR, and operations personnel with a legitimate need to know.
  • Service providers (data processors): We share data with trusted third-party service providers acting under our written instructions, including email and collaboration tools, assessment providers, background and right-to-work check providers (where lawful), analytics and consent-management providers, and secure hosting and IT infrastructure providers. All processors are bound by written contracts with appropriate data protection obligations.
  • Group companies and professional advisers: For recruitment oversight, legal advice, or establishment and defence of legal claims.
  • Public authorities and courts: Where required by law or necessary to protect rights, security, or property.

7. International Transfers

We process personal data within the European Economic Area (EEA). If it is necessary to transfer your personal data to a third country outside the EEA, we ensure that the transfer complies with Chapter V of the GDPR by relying on one of the following safeguards:

  • Adequacy Decisions: We transfer data to countries that the European Commission has determined provide an adequate level of protection for personal data. This includes transfers to the United States for entities certified under the EU-US Data Privacy Framework.
  • Standard Contractual Clauses (SCCs): In the absence of an adequacy decision, we implement the European Commission’s Standard Contractual Clauses (pursuant to Implementing Decision (EU) 2021/914) with our service providers to ensure contractual protection for your data.
  • Supplementary Measures: Where necessary, we implement additional technical and organisational measures (such as encryption) and conduct Transfer Impact Assessments (TIAs) to ensure that the level of protection guaranteed by the GDPR is not undermined.

8. How Long We Keep Your Data

We apply retention periods that comply with the national laws of the jurisdictions where we recruit and with data protection best practices. In general, data is deleted or reviewed for deletion in accordance with the below information, unless a longer period is required to establish, exercise, or defend legal claims.

Cyprus (CY)

In Cyprus, we process data in accordance with Law 125(I)/2018 (The Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of Such Data), we retain personal data of unsuccessful candidates for 12 months from the final decision, after which the information is deleted, unless a longer retention period is necessary to establish, exercise, or defend legal claims. Assessment results and reports produced during the recruitment process are retained for the same 12‑month period from the final decision and are then deleted, subject to the same legal-claims exception.

Where background screening and right‑to‑work checks are carried out, we keep only a summary pass/fail outcome on the recruitment record and do not retain the underlying documents beyond what is necessary. The underlying documents are deleted within 6 months of the decision or, where you are hired, within 6 months of onboarding.

Where you opt in to job alerts or a talent pool on the basis of consent, we retain the relevant profile data for 24 months from the date of opt‑in and send renewal reminders before deletion. If you withdraw your consent, we delete the relevant data without delay.

System and consent logs, as well as security event logs, are retained for 24 months, unless a longer period is required for security purposes or to meet legal obligations.

Complaints regarding the retention of personal data may be lodged with the Office of the Commissioner for Personal Data Protection Website (www.dataprotection.gov.cy).

Estonia (EE)

Under the Equal Treatment Act, Employment Contracts Act, and Personal Data Protection Act of Estonia, we retain personal data of unsuccessful candidates for 12 months from the final recruitment decision. This allows us to respond to any claims within the statutory limitation period established for discrimination disputes. Where a candidate requests earlier deletion, we will review and respond in accordance with our obligations under Article 17 GDPR (right to erasure).

Criminal-record or credit checks are conducted only where strictly necessary for the specific role (for example, positions in finance or security) and where we have a lawful basis under Estonian law. Such checks are performed after a conditional offer has been made and we retain only summary outcomes, not underlying documents.

National identification details and tax information are collected only at the point of onboarding for successful candidates.

Complaints regarding the retention of personal data may be lodged with the Estonian Data Protection Inspectorate (www.aki.ee).

Hungary (HU)

Under Act I of 2012 on the Labour Code, Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (‘Info Act’), and the GDPR, we retain personal data of unsuccessful candidates for 12 months following the final recruitment decision. This retention period allows us to address any claims arising from the recruitment process whilst respecting the principle of data minimisation.

Background Checks, including criminal record checks, are conducted only where strictly necessary, lawful, and proportionate to the requirements of the role (Section 10 of the Labour Code). We do not retain original background check documents; only verified outcomes are recorded in recruitment files.

Right-to-work verification is conducted for all roles. Enhanced background checks are performed only for positions requiring privileged access or the handling of sensitive information.

Health-related data and data concerning gender identity (if collected for diversity monitoring purposes) are processed in strict accordance with Act CXXV of 2003 on Equal Treatment and Promotion of Equal Opportunities and Article 9 GDPR.

Complaints regarding the retention of personal data may be lodged with the National Authority for Data Protection and Freedom of Information (NAIH) (www.naih.hu).

9. Your Rights

Subject to the conditions and exemptions set out in the GDPR and applicable national law, you have the following rights in relation to your personal data:

  • Right of access: You have the right to access your personal data and obtain a copy of the data we hold about you.
  • Right to rectification: You have the right to require us to correct any inaccurate or incomplete personal data we hold about you.
  • Right to erasure: You have the right to require us to delete your personal data in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected or where you withdraw consent (where processing is based on consent).
  • Right to restriction of processing: You have the right to require us to restrict our processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or object to our processing.
  • Right to object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for processing. This includes the right to object to any profiling carried out for recruitment purposes.
  • Right to data portability: Where we process your personal data by automated means on the basis of your consent or for the performance of a contract, you have the right to receive the data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to withdraw consent: Where we process your personal data on the basis of your consent (for example, for talent pool communications or job alerts), you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of your personal data infringes the GDPR.

10. Supervisory Authorities

The primary supervisory authority for our headquarters in Cyprus is the Office of the Commissioner for Personal Data Protection (www.dataprotection.gov.cy).

You also have the right to lodge a complaint with the supervisory authority in the EU Member State where you live, work, or where the alleged infringement took place. The relevant authorities for our current recruitment locations are:

  • Estonia: Estonian Data Protection Inspectorate (www.aki.ee)
  • Hungary: National Authority for Data Protection and Freedom of Information (NAIH) (www.naih.hu).

11. How to Exercise Your Rights

To exercise any of your rights, please email [email protected] with “Data Rights Request” in the subject line. We may ask for information to verify your identity before responding. We will respond to your request within one month of receipt. If your request is complex or we receive multiple requests, we may extend this period by a further two months. We will inform you of any such extension within one month of receiving your request, together with the reasons for the delay.

12. Data of Minors

The Site and our recruitment processes are directed solely at individuals aged 18 and over. While we recognise that national laws may vary regarding the minimum age for employment, we do not knowingly collect personal data from individuals under the age of 18 for our recruitment purposes.

13. Security

Your personal data is primarily stored on secure servers located within the European Economic Area (EEA).

We implement reasonable technical and organisational measures appropriate to the risks of recruitment processing, including access control and authentication, encryption in transit (e.g., TLS/SSL), least-privilege access principles, secure data retention and deletion, and vendor due diligence and data processing agreements.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours where required by law. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

14. Automated Decision-Making

We do not make solely automated decisions (without human involvement) that produce legal or similarly significant effects on you. If this changes in the future (e.g., for initial CV screening), we will provide you with meaningful information about the logic involved, the significance and envisaged consequences of such processing, and your rights under applicable law, including the right to obtain human intervention, express your point of view, and contest the decision.

15. Recruitment Agencies and Referrals

We do not accept unsolicited CVs from recruitment agencies. Where a recruitment agency is engaged under contract with us, the agency must provide candidates with this Notice or an equivalent privacy notice at source and collect any required consents before submitting candidate information to us. Referrers must ensure the candidate agrees to be referred and is aware that their information will be shared with Quanloop.

16. Changes to This Notice

We may update this Notice from time to time to reflect changes in our practices or legal requirements. Any changes will take effect when posted on the Site. The “Last updated” date at the top of this Notice indicates when it was last revised. We encourage you to review this Notice periodically.

17. Contact Us

If you have any questions about this Privacy Notice or our data protection practices, please contact us at:

QUANLOOP EUROPE LIMITED
131 Gladstonos Street, Kermia Court, 1st Floor
3032 Limassol, Cyprus

Email (privacy enquiries): [email protected]

Data Protection Officer: We have not appointed a Data Protection Officer. All privacy-related enquiries should be directed to the email address above.

EU Representative: We are not required to appoint an EU representative under Article 27 GDPR as we are established in Cyprus, an EU Member State.