BCG X Recruitment Privacy Policy

Introduction

This is the Recruitment Privacy Policy of BCG X, an operating division of the Boston Consulting Group, Inc., and encompassing the companies listed here (“we”, “BCG X”). This Recruitment Privacy Policy only applies to the personal information of job applicants and potential candidates for employment at BCG X as well as when we recruit for our portfolio companies and clients. If you are a California resident, please see the California Addendum at the end of this Recruitment Privacy Policy for further details on how we handle your information and how to exercise your rights. The purpose of this Recruitment Privacy Policy is to inform you about how we process your data for recruiting purposes and to explain the rights you have in relation to your personal data.

Who is responsible for processing your personal data?

For individuals applying to BCG X or one of our portfolio companies, the BCG X office that you apply to, or that is listed in the job advertisement, is responsible for the processing of your personal data.

What personal data do we collect from you?

When you actively apply for employment at BCG X, or our portfolio ventures, you will be asked to submit your contact details and your resume/CV containing information that you deem relevant for the process, such as educational and employment history.
We also require information on your visa and/or immigration status regarding employment at the location you are applying for.
In addition to the data you submit directly to us, we may also collect information from third-party sources, such as professionally-focused social networks or public sites.
When you enter the interview stage, we collect details from your interviews, such as further information on your experiences and your salary expectations, as well as the outcome of “take home” challenges, if applicable.
With your consent, we also collect information from reference persons you list.
We may also carry out background checks, including criminal records, where legally permissible.
If you sign up for our recruiting newsletter, we ask you for your email address. For further information on our newsletter, see here.
We collect your sensitive personal information, such as racial or ethnic origin identities and disabilities, only with your consent and where we are permitted to do so by applicable laws (e.g. US equal opportunity monitoring).
Information that enables us to book travel for you (e.g. passport or ID number, travel preferences dietary requirements) or reimburse you for travel costs (e.g. travel and bank account details), in case of onsite interviews.
Active sourcing: BCG X also conducts active sourcing to identify promising talents in the labor market. This means, we collect personal data such as name, contact data, employment history and current position of potential applicants from professional social networks, public sites or referrals from our employees. The purpose of the data collection is to analyze if you might fit a vacancy and to actively initiate contact with you. In all cases, we will notify you that we have collected your data for the purpose of active sourcing.

Please note that the provision of personal information is neither a statutory nor a contractual requirement, nor are you obliged to provide such information. However, failing to do so may result in BCG X not being able to progress your candidacy for the position that you have applied to.

How do we use your information?

We use your personal information in the context of the recruitment process:

To evaluate your suitability for the immediate role you have applied for and conduct the interviewing process.
In case of active sourcing, to analyze if you may fit a vacancy and to actively initiate contact with you.
On an aggregated basis, for analytical and statistical purposes, to understand and improve our recruiting processes.
On the basis of your consent, to add you to our talent pool for the purpose of considering your profile for other upcoming roles at BCG X and our portfolio ventures. Giving your consent is voluntary and you may withdraw it at any point.
However, withdrawal of consent will not affect the lawfulness of processing prior to withdrawal.
If the recruitment process leads to employment: to process personal information collected during the recruitment process for the purposes of entering into an employment contract or fulfilling our related legal obligations. Thereafter, the processing of your personal data will be governed by our internal data processing policies, of which you will be informed when starting your new job.
To ensure compliance with legal requirements, including diversity requirements and practices (where required by applicable laws).
US only: if you voluntarily participate in our demography survey, we will use your aggregated sensitive information to help us identify areas for improvement within our diversity efforts. If you choose to respond, your information will be stored separately from your application, and will not be associated with your specific application at any time.
If you are invited to onsite interviews, to book travel for you or reimburse your travel costs, if applicable.
To safeguard our legitimate interests, including defending ourselves against any legal claims arising from the recruitment process.

When will we share your information?

BCG X is part of the BCG group of companies and we may need to share your personal information with other BCG subsidiaries and affiliates insofar its required for the purposes detailed above. Additionally, your personal information will be processed by our contracted third-party service providers for services such as data hosting and the recruiting software platform.

If you apply for a position in one of our portfolio ventures, we may need to share your application data with the portfolio venture in question, as well as our corporate partner with whom we collaborate on this particular venture.

Similarly, if you consent to your data being added to our talent pool, we may share your application data with our portfolio ventures and the corporate partners, with whom we collaborate in building these ventures. We may also share your information with law enforcement bodies in order to comply with any legal obligation or court order.

Where do we store your data?

Your personal data will be stored within our applicant tracking system provided by Greenhouse Software Inc, 18 W 18th Street, 9th Floor, New York, NY 10011. This involves your personal information being stored and processed outside of the European Economic Area (EEA) in the United States. While privacy laws in third countries differ from those in the EEA, we only make these arrangements or transfers where we are satisfied that adequate levels of protection are in place to protect information held in that country. We have entered into EU Standard Contractual Clauses with our third-party service providers, that require the recipients of the data to abide by data protection rules approved by the European Commission. Please contact us if you wish to request a copy of the specific safeguards applied to the transfer of your personal information.

How do we protect your information?

BCG X has in place appropriate technological and operational security processes designed to protect your personal information from loss, misuse, alteration or destruction. Only authorized employees and providers will have access to any data provided by you, and that access is limited by need. Each employee or provider that has access to any personal information is obligated to maintain its confidentiality. Although we take steps that are generally accepted as industry standard to protect your personal information, BCG X cannot guarantee that your personally-identifiable information will not become accessible to unauthorized persons and BCG X cannot be responsible for any actions resulting from a breach of security when information is supplied over the internet or any public computer network.

How long will we retain your information?

In the case that your application is not successful, we may continue to retain and use your personal information for a period of time (which may vary depending on the country), for system administration purposes, to perform research and to defend our legal interest. At the expiry of this period, we may retain a minimum amount of your personal information to record your recruiting activity with us. Otherwise your personal data will be anonymized.
If we have actively sourced your information (see above: active sourcing), we will retain it only as long as necessary to assess whether we have a suitable position for you. This time frame will not exceed six months; however, this is extended if you decide to actively enter our recruiting process.
If you have given your consent to being added to our talent pool, we will store your personal information for up to 3 years in order to consider your profile for future opportunities. If you wish to withdraw your consent, please contact us.

What legal basis do we have for processing your information?

BCG X is a global company, so the legal basis for the processing of your personal data depends on which BCG X entity is processing your data, and for what purpose we are processing it. In general, we see our recruiting activities to be in our legitimate interest, as it helps us to find the best employees for our company and portfolio ventures, or we ask you to consent.
In cases where European or German law applies to our recruiting processes, the legal basis for our processing activities is as follows:

Handling active applications	Art. 6 para. 1 lit. b of the EU General Data Protection Regulation (GDPR), taking steps prior entering into a contract Art. 88 para. 1 GDPR in connection with § 26 para. 1 German FDPA, where German law applies
Processing travel cost reimbursement	Art. 6 para. 1 lit. c GDPR complying with legal obligations such as accounting and tax regulations
Retention of data in case of rejection	Art. 6 para. 1 lit. f GDPR, our legitimate interest results from defending us against possible lawsuits and protecting ourselves against fraudulent applications
Active sourcing Analyzing recruiting process	Art. 6 para. 1 lit. f GDPR, our legitimate interest results from our constant search for the best employees, approach to constantly improving our recruiting process

References Sensitive personal data you might disclose

Your consent – Art. 6 para. 1 lit. a, 9 para. 2 lit. a GDPR

Your rights

In accordance with applicable data protection laws, including but not limited to the GDPR and the California Consumer Privacy Act (CCPA), you have a right to request a copy of the personal information we hold about you and details of how we use that information.
If any of the information held about you is incorrect or out of date, you have the right to amend or rectify it. Please follow the process outlined below and we will amend our records where appropriate.
You also have the right to require us to erase your personal data, stop processing your personal data, restricting the processing of your personal information, right of portability of your personal information and/or to withdraw your consent to processing. This may not apply if there are other legal justifications to continue processing. If you wish to exercise any of these rights, please contact us.
In your request, please make clear what personal information you would like to have changed, whether you would like to have your personal information deleted or otherwise let us know what limitations you would like to put on our use of your personal information. For your protection, we may need to verify your identity before implementing your request.
In addition to the above rights, you also have the right to lodge a complaint with your local data protection authority.

To exercise your rights, please contact DataSubjectRights@bcg.com. Please refer to your application with BCG X specifically.

How to make a complaint?

You can complain to us in writing about how we have handled your personal data. We will respond to the complaint within 30 days.

How to contact us?

For further questions, you may contact the appropriate data protection point of contact:

Data Protection Office

The Boston Consulting Group Inc.

One Beacon Street

Boston, MA 02108

DataProtectionOffice@bcg.com

Updates to this Policy

We reserve the right to amend this Recruiting Privacy Policy from time to time without

further notice. Previous versions of this Recruiting Privacy Policy are available upon

request.

Last updated: January 2024

---

California Addendum

This California Addendum applies to California residents and supplements the

information provided above in the Recruitment Privacy Policy.

Collection and Disclosure of Personal Information

The following table details which categories of personal information we collect and process, as well as which categories of personal information we disclose to third parties for our operational business and hiring and recruitment purposes, including within the 12 months preceding the date this Privacy Policy was last updated.

Categories of Personal Information	Disclosed to Which Categories of Third Parties for Operational Business Purposes
Identifiers, such as name, postal address, unique personal identifiers, IP address, email address, account name, online identifiers, and government-issued identifiers	Our affiliates; service providers that provide services such as recruiting, candidate engagement, employment screening and background checks, consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Personal information as defined in the California customer records law, such as name, contact information, and financial, education and employment information	Our affiliates; service providers that provide services such as recruiting, candidate engagement, employment screening and background checks, consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Protected Class Information, such as characteristics of protected classifications under California or federal law, such as sex, age, gender, race, disability, citizenship, military/veteran status, gender identity and expression, primary language, and immigration status	Our affiliates; service providers that provide services such as employment screening and background checks, consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Commercial Information, such as travel expenses	Our affiliates; service providers that provide services such as expense reimbursement provider, consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Internet or network activity information, such as browsing history and interactions with our website and other online portals or services	Our affiliates; service providers that provide services such as recruiting, candidate engagement, consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Audio/Video Data. Audio, electronic, visual and similar information, such as photographs and call and video recordings	Our affiliates; service providers that provide services such as recruiting, candidate engagement consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Education Information subject to the federal Family Educational Rights and Privacy Act such as student transcripts, grade point average, grades, academic standing, disciplinary records, and confirmation of graduation	Our affiliates; service providers that provide services such as recruiting, candidate engagement, employment screening and background checks, consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Employment Information. Professional or employment-related information, such as work history and prior employer, information from reference checks, work experience, qualifications, training and skills, work authorization, CV, résumé, cover letter, professional and other work-related licenses	Our affiliates; service providers that provide services such as recruiting, candidate engagement, employment screening and background checks, consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Inferences drawn from any of the Personal Information listed above to create a profile about, for example, an individual’s preferences, characteristics, predispositions, and abilities	Our affiliates; service providers that provide services such as recruiting, candidate engagement, consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement
Sensitive Personal Information [5]Social Security, driver’s license, state identification card, or passport number; account log-in; racial or ethnic origin, citizenship, immigration status	Our affiliates; service providers that provide services such as recruiting, talent acquisition, employment screening and background checks, consulting, IT and other services; professional advisors, such as lawyers; public and governmental authorities, such as regulatory authorities and law enforcement

We may use sensitive personal information for purposes of performing services for our

business, providing services as requested or chosen by you, and ensuring the security

and integrity of our business, infrastructure, and the individuals we interact with. This

includes, without limitation, receiving and processing your job application, conducting

background checks, analyzing and monitoring diversity, making you an offer (subject to

our discretion), fulfilling administrative functions, complying with law, legal process, or

requests from governmental or regulatory authorities, and exercising or defending legal

claims.

Individual Requests

You may, subject to applicable law, make the following requests:

1. You may request that we disclose to you the following information:

The categories of personal information we collected about you and the categories of sources from which we collected such personal information
The business or commercial purpose for collecting personal information about you; and
The categories of personal information about you that we otherwise disclosed, and the categories of third parties to whom we disclosed such personal information

2. You may request to correct inaccuracies in your personal information

3. You may request to have your personal information deleted

4. You may request to receive the specific pieces of your personal information, including a copy of the personal information you provided to us in a portable format

We will not unlawfully retaliate against you for making an individual request. To make a request, please contact us via datasubjectrights@bcg.com or call 1-866-I-OPT-OUT (1- 866-467-8688) and enter service code 837# to leave us a message. We will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the personal information subject to the request. We may need to request additional personal information from you, such as copy of your driver’s license, utility bill in order to verify your identity and protect against fraudulent requests. If you maintain a password-protected account with us, we may verify your identity through our existing authentication practices for your account and require you to re-authenticate yourself before disclosing or deleting your personal information. If you make a request to delete, we may ask you to confirm your request before we delete your personal information.

To request to opt out of any future sharing of your personal information for purposes of cross-context behavioral advertising, click here.

Authorized Agents

If an agent would like to make a request on your behalf as permitted by applicable law, the agent may use the submission methods noted in the section entitled “Individuaequests.” As part of our verification process, we may request that the agent provide, as applicable, proof concerning their status as an authorized agent. In addition, we may require that you verify your identity as described in the section entitled “Individual Requests” or confirm that you provided the agent permission to submit the request.

FOOTNOTES

[1] Personal data only includes information relating to natural persons who can be identified or who are identifiable, directly from the information in question; or who can be indirectly identified from that information in combination with other information.

[2] BCG X only uses publicly available information for running background checks.

[3] In our marketing communications with you we monitor and comply with applicable data privacy laws and if, at any time, you prefer not to receive further communications from us in any or all forms you will have the ability to unsubscribe from such communications by means of a link provided in every e-mail that is sent to you by us. When subscribing to BCG e-mail newsletters, you are given the opportunity to select which promotions, news, and information you would like to receive at the time of sign up, and you will have the opportunity to unsubscribe from such communications.

[4] Data transfers within BCG X entities are governed by BCG X’s intra company agreements, local data export restrictions and/or local data privacy laws.

[5] CPRA defines sensitive personal information as personal information that reveals an individual’s social security, driver’s license, state identification card, or passport number; account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, citizenship, immigration status, or union membership; the contents of mail, email, and text messages unless BCG X is the intended recipient of the communication; genetic data; The processing of biometric information for the purpose of uniquely identifying an individual; Personal information collected and analyzed concerning an individual’s health; and Personal information collected and analyzed concerning an individual’s sex life or sexual orientation.