Privacy notice for Applicants

We (Galapagos NV, “Galapagos”, “we,” or “us”) are committed to ensure the protection of personal data of all individuals who are currently collaborating with us, including applicants. Your personal data are handled and protected with the utmost care, in accordance with the requirements imposed by European and local data protection laws.

In this privacy notice we explain the principles that we apply, in our capacity as a controller, when we process your personal data. It applies to all personal data that is collected and processed in any format, whether electronic or paper.

1. The personal data we collect and why we collect it

In case you apply for a job opening, in case of a spontaneous job application or in case we receive your information from an employee who refers you, the following personal data can be processed for the job application procedure:

• Any personal data that you provide when you send us your application or that is sent to us via the person who refers you including, but not limited to full name, nationality, date and place of birth, email address, phone number, picture, marital status, cover letter, hobbies and interests, professional experience, previous workplace, diploma’s, academic background, LinkedIn profile, Indeed profile and which job you have applied for.
• Statuses, notes and planning related to your job application;
• Personal data collected by interviewers and recruiters;
• Email and phone communications;
• Evaluation of the interviews and assessment of your suitability for the applied role.

We collect and process these personal data to evaluate the possibility of entering into an employment contract with you.

For specific roles, we may collect your health data such as your medical records to assess your working capacity for the job.

2. How do we collect your personal data

We usually collect personal data directly form you when you apply on our website, but we might collect your personal data from other sources, such as recruitment agencies, professional social networks and former employers or via an employee who refers you for a job position.

Our Recruitment Software Recruitee (https://recruitee.com/en/privacy) also allows applicants to submit applications through LinkedIn (https://www.linkedin.com/legal/privacy-policy) or Indeed (https://www.indeed.com/legal).

3. How long we keep your personal data

If you have been selected for the position, relevant personal data will be transferred to the HR department to create your employment contract and build you profile within the company database. All your personal data that is no longer necessary for a specific purpose will be deleted from our system. If you have not been successful for the position for which you have applied, we will ask for your consent to keep your personal data for a period of 2 years in order to inform you about new positions that may be of interest to you. In case of a spontaneous application or in case we received your information from someone who referred you, your personal data will also be kept for 2 years. After the 2 years period, all your personal data will be automatically deleted from our system.

4. Disclosure to third parties

We obtain assistance of a third-party recruitment software called Recruitee for the abovementioned purposes. Your personal data is entered into the Recruitee database, which is hosted on a server in the EEA. Recruitee has been required to process your personal data only in accordance with our instructions and to maintain reasonable security of such personal data.

In addition, personal data may be disclosed to authorized persons dealing with claims and investigations, law enforcement authorities, legal advisors and public authorities if needed to comply with a request or for the establishment, exercise or defense of legal claims.

It may occur that data about you is shared within the Galapagos group of companies if this is necessary to achieve specific purposes. We take appropriate measures to ensure that all the entities of the Galapagos group are submitted to the same or equivalent data protection rules.

As a general rule, the data that we collect from you is not transferred outside the EEA. If we, in exceptional circumstances, do transfer data outside the EEA, we will ensure it is protected employing the following safeguards:

• The non-EEA country has been awarded an adequacy decision by the European Commission;
• We have put in place appropriate contractual measures, including standard contractual clauses, with the third party to ensure that personal data receives the same protection as within the EEA.

5. Security of processing

We acknowledge our responsibility to ensure an appropriate level of security with regard to your personal data. Therefore, we have implemented various technical and organizational security measures in order to protect the personal data against loss, alteration, accidental or unlawful destruction, unauthorized disclosure of, or access to the personal data.

6. Your rights

When we collect and process your personal data, you can exercise the following rights :

• right of access: you can request a copy of your personal data undergoing processing and/or demand access to your personal data;
• right to rectification: you are entitled to have incorrect personal data corrected or completed;
• right to erasure (right to be forgotten): you have the right to have your personal data removed from our files. However, this right is not absolute, and some conditions must be met for this right to apply;
• right to restriction of processing: you have the right to request for the restriction of the processing of your personal data. Requests to restrict processing will only be granted where the requesting data subject has legitimate grounds to make such request;
• right to data portability: for personal data that you have provided to Galapagos, you have the right to receive your personal data, processed by Galapagos, in a structured, commonly used and machine-readable format and/or to transmit those data to another controller;
• right to object: under certain circumstances, you have the right to object to the processing of your personal data. Please note that this request may be refused if the data is necessary to be processed by Galapagos for compelling legitimate reasons, or the establishment, exercise or defense of legal claims;
• automated individual decision making: you have the right not to be subject to a decision based solely on automated processing including profiling;
• right to withdraw consent: with regard to the processing of personal data for which you have given your consent (e.g. keeping your personal data to inform you of future positions that might interest you) you may withdraw your given consent at any time. However, this withdrawal does not affect any processing operations previously carried out on the basis of your consent;
• right to lodge a complaint: if, at any time, you are of the opinion that we infringe your privacy, you have the right to lodge a complaint with the national supervisory data protection authority. The contact details of the supervisory authorities in Europe, can be found here: Members | European Data Protection Board (europa.eu).

7. Changes to this Privacy Notice

Changes to this Privacy Notice can be made from time to time, in accordance with international and local data protection laws. When we change the content of this Privacy Notice, we will change the date and version number of the ‘last update’ of this Privacy Notice.

8. Contact

If you have any questions or comments with regard to the content of this Privacy Notice or if you want to exercise one of your rights in relation to the data processed by us, you can contact our Data Protection Office by sending an email to dpo@glpg.com.