Data Protection Declaration

1. What is this Privacy Notice about?
   
   Biognosys (also «we», «us») collects and processes personal data that concern you but also other individuals («third parties»). We use the word «data» here interchangeably with «personal data». Personal data means any information relating to an identified or identifiable natural personIn this Privacy Notice, we describe what we do with your data when you use our job application form on our career center https://biognosys.com/careers/ («recruitment portal») or otherwise apply or interact with us by other means of communication (e.g. email, mail, telephone) in connection with a job posting on our recruitment portal or on our LinkedIn corporate page at https://www.linkedin.com/company/biognosys.
   This Privacy Notice applies to you in your capacity as a candidate for employment by an entity of Biognosys («you»). If you use our services, websites, and other offerings other than in your capacity as a candidate for employment our General Privacy Notice applies. Where appropriate, we will provide a just-in-time notice to cover any additional processing activities not mentioned in this Privacy Notice. If you provide us with or share information about other individuals, such as family members, co-workers, supervisors, and former employers, we will assume that you are authorized to do so and that the information is accurate. When you provide us with information about others, you are acknowledging this. Please make sure that these individuals have been informed of this Privacy Notice. This Privacy Notice is aligned with the EU General Data Protection Regulation («GDPR») and the current Swiss Data Protection Act («DPA»). However, the application of these laws depends on the individual case.
2. Who is the controller for processing your data?
   
   Biognosys AG, Wagistrasse 21, 8952 Schlieren, Switzerland («Biognosys AG») is the maincontroller with respect to the collection and processing of your data on the recruitmentportal and related systems (including LinkedIn). The individual Biognosys entity that advertises a particular job opening is a joint controller together with Biognosys AG with regard tothe processing of your data in relation to that job opening on the recruitment portal andrelated systems (including LinkedIn).Once a particular job application is handed over to the individual Biognosys entity for thepurpose of being processed for a particular job opening (in particular, the one for which youapply), that Biognosys entity becomes the sole controller of the further processing of yourdata with respect to that job opening and the related recruitment process.
   
   If you have any questions or concerns regarding data protection, please contact us as follows:
   Biognosys AG
   Wagistrasse 21
   8952 Schlieren
   Switzerland
   dpo@biognosys.com
   
3. What data do we process?
   
   We process various categories of data about you, including current but also previous versions where information changes over time. The main categories of data are the following:
   
   • Technical data: When you use our recruitment portal, applications and other infrastructure, we collect data about the access credentials you provide, your logins, accesses, entries and exits, your use of our applications, systems and other infrastructure you may use in order to ensure the functionality and security of these services,systems and other infrastructure. We will also log this information where necessaryto maintain an audit trail or for statistical purposes.
   • Qualification data: When you apply for a position with us, we collect and processthe data that you provide to us in your application materials, such as your name andcontact details, information about your eduction, qualifications and work experience. We generally collect this data directly from you in your application materials,such as your resume, cover letter, diplomas, academic transcripts, and letters of recommendation. Depending on the type of position advertised, we may also receivethis data from recruitment and placement agencies that you have provided to themin the context of a job search. We also collect and process data which is not directlyprovided by you, but which is used to determine your suitability for the position youare applying for (at the recruitment stage) such as the notes we take during and after our interviews with you, our internal exchanges and discussions about your suitability for the position. If your application is successful and you accept an offer of employment or work from us, the data that we have collected from you during the pre-employment period will become part of your personnel file with us, respectively will be added to your personnel file and will be kept for the duration of the employment relationship. This period may be longer where required for evidentiary purposes, to comply with contractual or legal requirements (including local applicable laws), or for technical reasons. If your application is unsuccessful, we generally keep this data for one year from the notification of the rejection decision so that we can inform you of future employment opportunities with us. In the event of an internal application, where the data is already known to us, they will be kept for the duration of the employment.
   • Publicly available data: We may collect certain personal data about you online to the extent that you have made this data publicly available and it is relevant to the job opening in question or otherwise to your assessment as a professional. We generally obtain this information from public sources. For example, we may find your profile on professional social media websites (such as LinkedIn and Xing) and collect the information made available through that channel. We will keep this data as long as there is legitimate business need.
   • Reference data: If, in your application, you mention individuals with whom or for whom you have worked in the past, such as former supervisors, co-workers or customers, we may contact or meet with them to obtain references about you. We will only contact these individuals if you have specifically provided us with their names and contact details in the context of your application. If you are already employed by us and apply for another internal position, we may request references and internal evaluations from your current supervisors and co-workers. We generally keep this data for three months from the end of the relevant recruitment process, except in the event of an internal application, where the data is already known to us and will be kept for the duration of the employment relationship.
   • Communication data: When you are in contact with us through our website, recruitment portal, social media corporate pages (for e.g. LinkedIn) or otherwise, in your own capacity (as opposed to acting for us), we collect the data exchanged between you and us, including your contact details and the metadata of the communication. Emails in personal mailboxes and written correspondence are generally kept for at
   • least ten years. The retention period may even be longer where required for evidentiary purposes, to comply with legal or contractual requirements, or for technical reasons. In some cases we may have telephone calls or (video) conferences being recorded for quality assurance purposes and trainings. Such recordings may only be made and used if you give prior consent (verbally or in writing) to such recording. If you communicate with other Biognosys employees, our support functions or third parties (e.g., customers, suppliers, business partners) using messaging applications, we will consider those communications to be work-related and we will collect the data exchanged through those means, including the metadata of the communication.
   • Other data: We also collect data from you in other situations. For example, data about who enters our premises, offices, and other workplace facilities. The retention period for this data depends on the purpose and is limited to what is necessary. Much of the data set out in this Section 3 is provided to us by you (through your application documents, etc.). You are not obliged or required to disclose data to us except in some cases (legal obligations). We may need to collect publicly available data, reference data and qualification data if you want us to proceed with your job application. If your application is successful and you wish to enter into an employment relationship with us and use our IT systems and internal platforms, you must also provide us with certain data, in particular technical data, account data, administration data and financial data in order to enable us to manage the employment relationship with you and provide you with access to our buildings, facilitities and IT systems. As far as it is not unlawful we also collect data from public sources (for example, the internet, including professional social media websites, public registries, etc.) or receive data from other companies within the Bignosys group, and from other third parties (such as credit agencies, background check agencies, internet analytics services, etc.).
   4. For what purposes do we process your data?
   
   We process your data for purposes related to communication with you and with the exercise of your rights (Section 10) and to enable us to contact you in case of queries. For thispurpose, we mainly use communication data. We keep this data to document our communication with you, for quality assurance and for follow-up inquiries.We process your data in order to determine whether you are a suitable candidate for theposition you have applied for and to decide whether we would like to enter into an employment relationship with you. For this purpose, we mostly use qualification data, publiclyavailable data, reference data, and qualification data. We process this data to progress yourapplication through the different recruitment stages, to verify the qualifications information you have provided, to document our recruitment process and maintain employment records, as well as to document our decision-making process and make an informedrecruitment decision.If your application is successful, we process your data for the purpose of concluding andexecuting our employment relationship with you. For these purposes, we process in particular qualification data and administration data.We process your data for the purpose of security, access control and system use. For thesepurposes, we mainly process technical data, account data and «other data».We process personal data to comply with laws, directives and recommendations from authorities and internal regulations («Compliance»). For these purposes we mainly processqualification data, administration data, but also, under certain circumstances, data from thecategory of «other data».We also process data for the purposes of our risk management and as part of our corporategovernance, including business organization and development. For these purposes, we process in particular account data, qualification data, administration data, but also technicaldata and communication data.We may process your data for further purposes, for example as part of our internal processes and administration or for quality assurance purposes and trainings.
   
   5. On what basis do we process your data?
   
   Where we ask for your consent for certain processing activities, we will inform you separately about the relevant processing purposes. You may withdraw your consent at any timewith effect for the future by providing us written notice (by mail) or, unless otherwise notedor agreed, by emailing us; see our contact details in Section 2. Once we have received notification of withdrawal of consent, we will no longer process your information for the purpose(s) you consented to, unless we have another legal basis to do so. Withdrawal of consent does not, however, affect the lawfulness of the processing based on the consent priorto withdrawal. If you withdraw the consent for us for processing personal data we require
   for assessing or employing you for a particular position, you will no longer be able to continue with your application for such position.Where we do not ask for your consent, the processing of your personal data relies on thebasis of processing for initiating and/or performing an employment contract (or othercontract under which you are working for us, e.g. as a contractor) with you or on our or athird-party legitimate interest in the particular processing operation, in particular in pursuing the purposes and objectives set out in Section 4 and in implementing related measures.
   Our legitimate interests also include compliance with legal regulations insofar as this is notalready recognized as a legal basis under the applicable data protection law (for e.g. underthe laws in the EU, the United Kingdom, and Switzerland).In some cases, other legal basis may apply, which we will communicate to you separatelyas necessary.
   
   6. With whom do we share your data?
   
   In relation to the employment relationship between you and us, our legal obligations orotherwise in relation to the protection of our legitimate interests and the other purposesset out in Section 4, we may disclose your personal data to third parties, in particular to thefollowing categories of recipients:
   • Group companies: We may transfer your data to our group companies, which canbe found here: https://biognosys.com/contact-us/, as well as with Bruker Corporation which has a majority-ownership investment in Biognosys(https://www.bruker.com/en.html; see also https://www.bruker.com/en/news-and-events/news/2023/biognosys-and-bruker-form-partnership-for-advanced-proteomics-cro-services.html ). If you are an applicant, the individual Biognosys entityto which you have applied may, with your consent, share your data with other Biognosys entities or with Bruker Corporation so that they may contact you in the eventof future job opportunities with them that may be of interest to you, with those
   Biognosys entities or Bruker Corporation acting as sole controllers for such purposes. If you are an employee of a Biognosys entity, this entity may share your datawith other Biognosys entities, Bruker Corporation or group functions in order to beprocessed by them for their own purposes (for e.g. group-wide statistics, group widecomputer and telephone directories), with those Biognosys entities, Bruker Corporation or group functions acting as sole controllers for such purposes. Additionally,if you are already employed with an Biognosys entity and are transferred or seconded to another Biognosys entity or Bruker Corporation, the former will shareyour data with the latter and the latter will become a separate controller for thepurpose of performing your new employment relationship with it. The Biognosysentities or Bruker Corporation have access particularly to your qualification data,publicly available data, reference data, account data, administration data, performance and training data, financial data and health and well-being data.
   • Service providers: We work with service providers in Switzerland, who process yourdata on our behalf or as joint controllers with us. These providers may also use suchdata for their own purposes, for example anonymized information to improve theirservices. In addition, we enter into contracts with these providers that include provisions to protect data, where such protection does not follow from the law.
   • Employers and other organizations referred to in your resume: We may also disclose your data to former employers when you apply for a job with us (for e.g., reference information) or to future employers when you apply for a new job. Theseformer and future employers act as separate controllers. The same applies withother organizations we may contact for validating your job application data.
   • Authorities: We may disclose personal data to agencies, courts and other authorities in the EEA, the United Kingdom, Switzerland, and abroad, if we are legallyobliged or entitled to make such disclosures or if it appears necessary to protect ourinterests. These authorities act as separate controllers.
   • Other persons: This means other cases where interactions with third parties followsfrom the purposes set out in Section 4. Where these other persons determine thepurposes and means of the processing and process your data for their own purposes, they act as separate controllers.
   All these categories of recipients may involve third parties, so that your data may also bedisclosed to them. We can restrict the processing by certain third parties (for e.g. IT providers), but not by others (for e.g. public authorities).
   
   7. Is your personal data disclosed abroad?
   
   As explained in section 6, we disclose data to other parties.If for any reason we will need to transfer your data to a processor located in a country without adequate statutory data protection, we will require the recipient to undertake to comply with data protection (for this purpose, we use the revised European Commission’sstandard contractual clauses, which can be accessed here) unless the recipient is subject toa legally accepted set of rules to ensure data protection. An exception may apply for example in case of legal proceedings abroad, but also in cases of overriding public interest or ifyou have consented or if data has been made available generally by you and you have notobjected against the processing.
   
   8. How long do we process your data?
   
   
   1. We process your data for as long as our processing purposes, the legal retention periodsand our legitimate interests in documentation and keeping evidence require it or storage isa technical requirement. You will find further information on the respective storage andprocessing periods for the individual data categories in Section 3 (for e.g., unsuccessfull jobapplications are usually deleted after three months, unless you consent for us to keep themlonger). If there are no contrary legal or contractual obligations, we will delete or anonymizeyour data once the storage or processing period has expired as part of our usual processes.
   
   9. How do we protect your data?
   
   We take appropriate security measures in order to maintain the required security of yourpersonal data and ensure its confidentiality, integrity and availability, and to protect itagainst unauthorized or unlawful processing and to mitigate the risk of loss, accidental alteration, unauthorized disclosure or access. Technical and organizational security measuresmay include logging, access restrictions, keeping backup copies, giving instructions to ouremployees, entering confidentiality agreements, and monitoring. Specifically, we take appropriate organizational measures to ensure that our employees have access to your dataon a need-to-know basis, to extent necessary for the purposes described in this Privacy
   Notice and the activities of the employees concerned.
   
   10. What are your rights?
   
   Applicable data protection laws grant you the right to object to the processing of yourdata in some circumstances, in particular for processing activities on the basis of legitimate interest.To help you control the processing of your personal data, you have the following rights inrelation to our data processing, depending on the applicable data protection law:
   – The right to request information from us as to whether and what data we processfrom you;
   – The right to have us correct data if it is inaccurate;
   – The right to request erasure of data;
   – The right to request that we provide certain personal data in a commonly used electronic format or transfer it to another controller;
   – The right to withdraw consent, where our processing is based on your consent;
   – The right to receive, upon request, further information that is helpful for the exerciseof these rights.
   If you wish to exercise the above-mentioned rights in relation to us, please contact us inwriting, at our premises or, unless otherwise specified or agreed, by email; you will find ourcontact details in Section 2. In order for us to be able to prevent misuse, we need to identifyyou (for example by means of a copy of your ID card, unless identification is not possibleotherwise).
   
   Please note that conditions, exceptions or restrictions apply to these rights under applicable data protection law (for example to protect third parties or trade secrets). We will inform you accordingly where applicable.If you do not agree with the way we handle your rights or with our data protection practices,please contact us (Section 2). If you are located in the EEA, in the United Kingdom, or inSwitzerland, you also have the right to lodge a complaint with the competent data protection supervisory authority in your country. You can find a list of authorities in the EEA here:
   https://edpb.europa.eu/about-edpb/board/members_en. You can reach the UK supervisory authority here: https://ico.org.uk/global/contact-us/. You can reach the Swiss supervisory authority here: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html.
   
   11. What data do we process on our LinkedIn corporate page?
   
   We operate the following company page on the professional social media network LinkedInCorp. («LinkedIn»): https://ch.linkedin.com/company/biognosys?trk=public_post_follow-view-profile. We collect the data about you described in Section 3 that we receive from youand LinkedIn when you apply directly for a job posted on our corporate page (as soon asthis option is available) or otherwise interact with our page. At the same time, the platformanalyzes your use of our online presence and combines this data with other data they haveabout you (for e.g., about your behavior and preferences). They also process this data fortheir own purposes, in particular for marketing and market research purposes (for e.g., topersonalize advertising) and to manage their platforms (for e.g. what content they showyou), and for this purpose they act as separate controllers.
   We process this data for the purposes set out in Section 4, in particular for communicationpurposes and to take the necessary steps to enter into an employment relationship withyou. Please refer to Section 5 for the applicable legal basis. We may disseminate contentpublished by you (for e.g., comments on a particular job posting). We or LinkedIn may alsodelete or restrict content from or about you in accordance with its terms of use (for e.g.,inappropriate comments).
   For more information on the processing of LinkedIn, please refer to its privacy information,which is available here: https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy. This link also provides information about the countries in whichthey process your data, your rights of access and erasure of data and other data subjectsrights and how you can exercise them or obtain further information.
   
   12. Can we update this Privacy Notice?
   
   We can change this Privacy Notice at any time. The version published on the recruitmentportal and our website is the current version. If we make significant changes to this PrivacyNotice, we will inform you by notice on our website or by email.
   
   Last updated: March 28, 2024