What is the Purpose of This Document?

EPAM Systems Inc. and its affiliates (“EPAM”, "we") are committed to protecting the privacy and security of your personal information.

This privacy notice describes how we collect and use personal information about you during and after your application process, in accordance with the General Data Protection Regulation 2016 (“GDPR”).

This privacy notice applies to all job applicants and EPAM Anywhere applicants based in the European Economic Area, Switzerland and United Kingdom. This privacy notice does not apply to TestIO freelancers. We may update this privacy notice at any time. Where we can, we will notify applicants of substantial changes to the privacy notice. This privacy notice is also available in Czech, Hungarian, Polish and German.

This privacy notice should be read in conjunction with the general privacy policy for general use of our corporate websites, cookie notice and specific EPAM platform notices.

The relevant EPAM entity based on the country of the role for which you are applying is the data controller for data protection purposes. We have provided full details of the relevant entities below. For example, if you apply for a role in Poland, EPAM’s Polish entity, called “EPAM Systems (Poland) sp zoo” is the data controller. We may share your personal information within the EPAM group, and this privacy policy applies to any EPAM entity processing your personal data as a data controller.

We are required under data protection legislation to notify you of the information contained in this privacy notice.

This privacy notice does not imply in any way any contract of employment or contract for services or any other relationship between you and EPAM. 

It is important that you read this privacy notice so that you are aware of how and why we use your personal data.

The Kind of Information We Hold About You

Personal data, or personal information, means any information, by itself or combined with other information, about an individual from which a person can be identified. It does not include data where the identity has been removed (anonymous data).

There are "special categories" of more sensitive personal data which require a higher level of protection. We do not routinely collect, store or use any special categories of personal data as part of our recruitment activities. If you notify us of a disability within the legal definition of a disability, we will only use that information to assess and implement any reasonable adjustments, as required by law.

We may collect, store, and use the following categories of personal information about you:

• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
• Date of birth;
• Your CV, professional social media profile such as LinkedIn, cover letter, application forms and other information regarding your employment history such as dates of employment, job titles, job descriptions, skills, reason for leaving, previous salary and benefits information, any websites or blogs you own or have contributed to, any photographs of you contained in your CV, areas of interests, notice periods/availability for employment;
• Your salary or remuneration package expectations and details of any offers of employment or work made by us to you and your responses;
• Interview history, questions, notes and technical assessment results;
• Your feedback on EPAM’s recruitment process;
• How we obtained your data – from an application by you, through an agency or from a third party website that you had used to seek employment;
• CCTV footage from attendance at any EPAM sites where we control the CCTV systems and any recordings of online video meetings, interviews or assessments;
• Any requests for reasonable adjustments or accommodations to comply with applicable equality legislation;
• Information to assess your right to work in the hire location, such as your nationality, work permit status including documentary evidence subject to local law and explicit consent, where required;
• Details of communications with you, how you interact with email communications and marketing communications;
• Your data privacy and marketing communications preferences

If you use your online profile using epam.com we will also collect, store, and use the additional following categories of personal information about you, such as:

• Your username and data required for log-in;
• Your log in frequency and activity;
• What software, devices or hardware you use to access your profile;
• Your profile preferences and other forms you may complete in the online profile;
• Any privacy or communication channel and frequency preferences. 

How is Your Personal Data Collected?

We mainly collect personal information about applicants from:

• Directly from you, such as using our website epam.com/careers, other EPAM online platforms or applications, email applications or at a recruitment fair;
• From recruitment agencies that you are registered with and have agreed for them to provide us with your application information;
• From current EPAM employees or contractors or other third parties , with your prior permission, as part of our internal or external referral program;
• From third party websites and job boards that you have used to seek employment such as LinkedIn, Xing, Jobs.bg, Pracuj, Profession.hu;
• From third party websites or platforms that help us obtain your contact details  (if we do not already have it) or verify employment history  from publicly available sources.

How We Will Use Information About You?

We only use your personal information for the following purposes and legal bases:

Data Sharing

Where you are represented by a recruitment agency, we will share information about your recruitment activity (such as interview feedback, any offers etc) so they can discuss this with you.

Given the nature of EPAM’s business, from time to time our clients would like to receive summary CVs of applicants like you, as well as our existing employees. We aim to first provide anonymised summary CVs but this is not always possible. We will do our best to inform you of any such disclosure in advance.

In order to understand how we can improve our internal recruitment processes, we may use a third party survey provider to (i) send you an invitation to a survey and or (ii) collect your responses.  Typically, we only share your name and email address. Only team leaders and recruitment managers in EPAM’s appropriate Talent Acquisition teams will have access to replies from applicants under their remit. Your replies will not affect the progress or outcome of any recruitment process with EPAM. 

We may also use third party communication providers to help us manage communications around our recruitment and information campaigns.  

Where we need to technical testing of your skills, we may use third party providers to undertake the testing on our behalf. We may typically share your name and contact information, primary skills, the role or the type of role you are applying for and your resume or CV, if required.

We may also need to use third party service providers, for example, to help us manage our applicant tracking system or to help host our websites or servers. We contractual terms in place to protect your personal data.

We will share your data with other companies within the EPAM group only for the purposes set out above.  As EPAM is a global company with a presence in over 50 countries and regions, we transfer the personal information we collect about you to our group companies only the following countries outside the European Economic Area in order to be able to consider you for other roles at EPAM or with our clients and to administer our recruitment teams and systems:

• USA
• Armenia
• Australia
• Belarus
• Canada
• Hong Kong SAR
• India
• Israel
• Japan
• Kazakhstan
• Korea
• Mexico
• People’s Republic of China
• Singapore
• Switzerland
• United Arab Emirates
• Ukraine
• Vietnam

Other than Switzerland, Israel, Japan and Canada, there is not an adequacy decision by the European Commission in respect of the above countries. This means that the countries (except for Switzerland, Israel, Japan and Canada) to which we transfer your data are not deemed to provide an adequate level of protection for your personal information.

However, to ensure that your personal information does receive an adequate level of protection we have put in place an intragroup data transfer agreement to ensure that your personal information is treated in a way that is consistent with and which respects the EU laws on data protection. If you require further information about this protective measure, you can request it from [email protected].

We may need to disclose all or any part of your personal information if required to do so by law, or pursuant to a request from a governmental or regulatory entity/body or if we believe in good faith that such disclosure is necessary to (1) comply with legal or regulatory requirements or for the purposes of compliance with legal process; (2) prevent crime; (3) prevent any terrorist activity or threat to national security; (4) protect the safety or wellbeing of users of our staff or any other person.

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, contractors and third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from [email protected].

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data Retention

How long we will keep your information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

After an unsuccessful application, we will aim to keep some or all of your personal data to the extent we need to for a period of 6 months after the last activity to consider you for any other job openings across the EPAM Group and for legal/record keeping purposes, unless we are required to keep your data for a longer period by applicable law.

Consent to keep your information

EPAM has asked you to consent to us storing your personal data after that initial period.

Where you have given us your consent, we apply the following retention guidelines to your personal data:

• After 6 months of no activity, we will minimise your personal data but at a minimum will retain your CV and information contained in it.
• Within two years of no activity, we will aim to contact you to understand whether there are any roles at EPAM which may be suitable for you. We may also contact you at any point up to this period, if we consider we have a potential suitable position for you and if you have opted in to receive any information generally about our recruitment campaigns.
• If we do not hear from you, we will either delete your profile or archive your profile and create a dummy profile with only one data field (such as your email address) to help link any future applications.

You may withdraw your consent to EPAM retaining your personal data beyond the initial 6 months period after an unsuccessful application.

If you do not consent to the retention of your data as set out here or you withdraw your consent, after 6 months of no activity or 6 months from an unsuccessful application (unless we are required to keep your data for a longer period by law), EPAM will take reasonable steps to either delete your profile or archive your profile and create a dummy profile with only one data field (such as your email address) to help link any future applications. This will not affect your ability to receive information on our recruitment campaigns or log into other EPAM platforms. 

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Recruitment Campaigns

You can opt into receive information about our recruitment campaigns from EPAM.

You may unsubscribe from these emails at any time by a) unsubscribing using our website, b) logging into your online profile, if you have one, or b) by following the unsubscribe link on any recruitment campaign email from us.

We will take reasonable steps to unsubscribe you from these emails, but it may take up to 72 hours to take effect.

Your Rights In Connection With Your Personal Data

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes such as our recruitment campaigns or “hot jobs” emails.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact [email protected] in writing.

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Questions, Requests and Complaints

We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO:

Yuriy Goliyad
Head of Global Operations
41 University Drive
Suite 202
Newtown
PA 18940
USA

Email: [email protected]

GERMANY ONLY – DATA PROTECTION OFFICER

We have appointed a data protection officer (DPO) to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal information, please contact the DPO:

Yuriy Goliyad
Head of Global Operations
41 University Drive
Suite 202
Newtown
PA 18940
USA

Email: [email protected]

EPAM SYSTEMS IN YOUR LOCATION - DETAILS OF THE DATA CONTROLLER

COMPLAINTS TO SUPERVISORY AUTHORITY

You have the right to make a complaint at any time to the supervisory authority for data protection issues in your home country. A current list of the supervisory authorities in EU can be accessed here.

8 October 2020