Privacy Notice for UK Applicants

GRAIL Bio UK Limited (“GRAIL”, “we”, “us”) is committed to protecting the privacy and security of Personal Data of individuals applying for a job at GRAIL and takes seriously its obligations under applicable data protection laws, including the UK GDPR and the Data Protection Act 2018 (together, “Data Protection Laws”). This Privacy Notice for UK Applicants (“Notice”) describes how GRAIL collects, stores, discloses and otherwise processes your Personal Data. It applies solely to individuals applying for a job at GRAIL Bio UK Limited (“Applicant(s)”, “you”) but does not form part of any employment contract or other contract to provide services. In this Notice, references to “GRAIL” shall mean GRAIL and its affiliates and subsidiaries,including GRAIL, Inc.

Please read this Notice carefully. Any questions about this Notice should be directed to PeopleServices@grailbio.com.

Personal Data that GRAIL Processes about Applicants: Personal Data” means information that relates to an identified or identifiable living individual. Personal Data does not include information that has been rendered anonymous in such a way that the individual is not or is no longer identifiable.

Collection of Personal DataIn the course of processing your application for a job with us, GRAIL may collect the following categories of Personal Data related to Applicants (“Applicant Personal Data” or “Personal Data”): 

  • Identification information, such as your name, citizenship, passport/ID data, date of birth, drivers’ licence information and national insurance number;
  • Contact information, such as your home address, telephone number and personal email address, and the same information for your emergency contacts;
  • Professional or employment-related information, such as contact details for your current or former employer, information about your educational background, your work experience and other experience; copies of right to work documentation, such as work permit or visa; references and other information included in a CV, resume or cover letter or as part of the application process; type of employment sought and your desired salary; references and interview notes; and letters of offer of employment;
  • Applicant monitoring information, such as phone or email communications with employees (for example, in our human resources department) and building access monitoring, including controls for building access, security controls and CCTV footage;
  • Health and medical information, such as information on disability for purposes of accommodating your application and interview, and compliance with our legal obligations to provide equal opportunities;
  • Diversity information, such as race, ethnicity and religious information where it is appropriate for diversity and equal opportunities monitoring, and sexual orientation information (for example, marital status and information on beneficiaries, next of kin and emergency contacts).
  • Background check information, such as the results of criminal records background checks, where relevant and appropriate to your role, and background information not listed above that we obtain from you or your references; and
  • Other information, including information voluntarily and incidentally disclosed by you through your interactions with GRAIL that falls under one of the categories above.

Sources of Personal DataGRAIL may obtain Applicant Personal Data from the following sources:

  • Directly from you, such as during the application process or via other forms or information that you provide to GRAIL in connection with your potential employment or engagement (for example, through job applications, your CV/resume and other information provided during the recruitment process, such as correspondence by email and phone, and during interviews);
  • Indirectly from you, such as when we automatically collect Personal Data on our website or other online properties as described in our website Privacy Policy;
  • Through GRAIL systems monitoring, on computer equipment, networks, communication devices and mobile devices connected to GRAIL’s networks;  
  • From third parties, including references and other background screening sources, current or former employers, employment recruitment agencies, academic institutions and professional registration bodies, publicly available resources and any supplier with which you have entered into a consultancy agreement subject to the requirements of applicable law; and
  • From other vendors providing services to us in relation to the processing of human resources Personal Data.

Where GRAIL requires Applicant Personal Data to comply with its legal or contractual obligations, the provision of such Personal Data is mandatory. If the requested Applicant Personal Data is not provided, GRAIL will not be able to manage the application process or to meet obligations placed on us. In all other cases, the provision of requested Applicant Personal Data is optional.

Please ensure that you have informed any GRAL employee and reference whose details you provide together with or in connection to your application that GRAIL will use their Personal Data as outlined in this Notice.

Purposes for Collecting, Using, Disclosing and Processing Personal DataGRAIL may process Applicant Personal Data for the following purposes and using the following lawful bases:

  • Where necessary to administer and process your application:
    • To assess your skills, qualifications and suitability for the role;
    • To process your application;
    • To carry out background and reference checks, where applicable; and
    • To communicate with you about the recruitment process.
  • Where necessary for GRAIL’s legitimate interests and where our interests are not overridden by your data protection rights and freedoms:
    • To decide whether to employ you in a specific role that would be beneficial to our business;
    • To keep records related to our hiring processes and, where permitted, for the purposes of “talent pooling” and contacting you about opportunities that may arise in future;
    • As necessary or appropriate to protect the rights, property or safety of us, our employees, our clients or others;
    • To prepare to conduct or conduct or assist in internal company investigations, audits or inquiries involving GRAIL;
    • In relation to proposed mergers and acquisitions;
    • To communicate with you about our affiliates or notify you about products or services of selected third parties which GRAIL considers may be of interest to Applicants;
    • To help maintain the safety, security and integrity of our website, products and services, databases and other technology assets, and our business, and to validate and record information about the individuals or Applicants that access the company’s facilities and equipment, as may be required by applicable law;
    • To maintain accurate business accounts, secure GRAIL facilities and equipment and track those individuals and Applicants with access to either for security and/or maintenance purposes;
    • To maintain security badges and to protect and secure GRAIL’s property and maintain the security of information held by the company; and
    • To carry out and manage the business of GRAIL, including for statistical analysis.
  • Where necessary for the purposes of carrying out obligations in the field of employment and social security and social protection law under local law:
    • To facilitate effective equal opportunities monitoring and reporting;
    • To comply with our obligations regarding diversity;
    • To comply with legal obligations to make reasonable adjustments and accommodations; and;
    • To provide a safe working environment for Applicants who visit our premises.
  • Where necessary to comply with a legal obligation:
    • To comply with applicable employment-related requirements; and
    • To make disclosures to law enforcement agencies or in connection with legal claims, health and safety compliance, regulatory, investigative and disciplinary purposes (including disclosure of such Personal Data in connection with legal processes or litigation).
  • Where necessary to protect your vital interests where you are physically or legally incapable of giving consent:
    • To provide information to medical advisers if you were to fall seriously ill during a visit to our premises.

Disclosures of Personal Data to Third PartiesGRAIL may share Applicant Personal Data with other members of the GRAIL group to administer and manage group functions, including to assess your performance and the performance of the GRAIL group and in the course of audits. We also may share your Personal Data with any other GRAIL group member to which you make an application or with whom you communicate.In addition, GRAIL may share Applicant Personal Data with:

  • Any governmental, administrative, judicial or regulatory authorities, including law enforcement, as needed to cooperate with proceedings, inquiries or investigations by such authorities or in response to any requests made by such authorities, or to otherwise comply with legal or regulatory obligations; 
  • Third parties as needed to protect the legitimate interests of GRAIL, including to establish or defend GRAIL’s legal rights;
  • Third parties providing services to GRAIL, including GRAIL’s professional advisors and service providers that provide GRAIL with products and services, such as recruitment administration, background check services and information technology support or infrastructure (such as hosted or managed applications); and
  • Third parties in the event that GRAIL sells any part of its business and/or integrates with another organisation.

Applicant Personal Data may be processed in and accessed from jurisdictions outside the United Kingdom by other members of the GRAIL group and by the third parties with which we share your Personal Data. Specifically, Applicant Personal Data will be transferred to GRAIL’s entities and vendors in the United States of America. When we transfer your Personal Data within the GRAIL group, or to organisations outside the GRAIL group, we will do so in accordance with the Data Protection Laws, including through the use of standard contractual clauses that have been approved by European Commission and the United Kingdom Government (as the context requires), a third party’s binding corporate rules or where we are entitled to rely on one of the other safeguards permitted by the Data Protection Laws.

Retention of Personal Data: For unsuccessful Applicants, GRAIL will retain categories of Applicant Personal Data from the application and selection onboarding process for a reasonable time after your application process is completed (for example, in order to inform you about future job opportunities for which you may be suitable), in accordance with applicable law and GRAIL’s internal rules and policies. For successful Applicants, GRAIL will retain categories of Applicant Personal Datain line with the GRAIL Employee Privacy Notice. We seek to only retain Personal Data for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data, and whether we can achieve those purposes through other means, and the applicable legal requirements. 

Your RightsApplicants have certain rights under the Data Protection Laws regarding their Personal Data:  

  • The right to know what Personal Data we process about you and to be provided with a copy of such Personal Data;
  • The right to ask us to correct your Personal Data;
  • The right to delete or cease processing of your Personal Data in certain circumstances (for example, where GRAIL no longer needs the Personal Data);
  • The right to request GRAIL to send you, or another organisation, certain types of your Personal Data in a machine-readable format;
  • The right to withdraw your consent to GRAIL’s processing your Personal Data, where our processing is based on your consent;
  • The right to ask GRAIL not to subject you to solely automated decisions, including profiling; and
  • The right to complain to a data protection regulator in the place that you live, work or where the breach of the Data Protection Laws occurred, if you think that GRAIL is not complying with its obligations regarding your Personal Data.

If you want to exercise any of these rights, please submit a request by contacting human resources by emailing PeopleServices@grailbio.com. We will review your requests and respond accordingly. The rights described herein are not absolute and we reserve all our rights available to us at law in this regard. If you make a request with respect to your Personal Data, you may be required to validate your identification as a security precaution. If it is necessary to collect additional Personal Data, GRAIL will use the Personal Data only for verification purposes and will delete it as soon as practicable after complying with the request. If you make a request through a third party, we will require written proof that the third party is authorised to act on your behalf. We will process your request within the time provided by the Data Protection Laws.

Notice Modification: Subject to applicable law, this Notice may be modified, amended or rescinded at any time without prior notification. This Notice was last updated on June 21, 2024.

The controller of your Personal Data for the purposes of the Data Protection Laws is:

GRAIL Bio UK Limited
210 Euston Road
London NW1 2DA
privacy@grailbio.com