CANDIDATE'S PRIVACY POLICY
1. WHO ARE WE?
We are: UAB Orbio World, your Personal data Controller
Our company number is: 305049890
Our registered address: K. Donelaičio g. 60, LT- 44248 Kaunas
Our support e-mail address: hello@orbio.world.
We have appointed a Data Protection Officer (DPO) to oversee our data protection obligations. You can contact the DPO directly at: dpo@orbio.world.
2. WHAT IS THE PURPOSE OF THIS CANDIDATE PRIVACY POLICY?
This Candidate’s Privacy Policy (“Policy”) explains how UAB Orbio World ("Company", "we", "us", or "our") handles personal data about you (“Personal data” or “Data”) when you:
Visit our brand websites https://orbio.world or Careers site https://orbioworld.teamtailor.com (the “Websites”) where we advertise job vacancies;
Apply for a job role directly or via third-party platforms;
Contact us or send inquiries relating to job applications;
Are referred by someone or sourced via professional platforms (e.g. LinkedIn); or
Otherwise participate in our recruitment or talent acquisition process.
This Policy outlines what Data we collect, its purposes, how we use and share it, how long we retain it, your rights, and how we protect your Data. We are committed to process your Data lawfully, fairly, and transparently in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
By continuing to use the Websites or by submitting your Personal data via job application, you acknowledge that your Data may be processed as described in this Policy. If you do not agree with our practices, please refrain from using the Websites or submitting your Data in any other way.
This Policy is effective as of 1st of August 2025. We may update this Policy occasionally all updates take effect upon publication, so we encourage you to review it regularly to stay informed.
3. WHAT IS PERSONAL DATA AND HOW IS IT PROCESSED?
Personal data is any information that relates to you and can directly or indirectly identify you — such as your name, email address, IP address, CV details, or information about your qualifications and work experience. It can also include data about your location, education, or other professional identifiers.
Here are also few important things for you to know about Personal data processing:
We will only process your Data if we have a valid lawful basis to do so. Typically, our lawful bases include performance of a contract, obtaining your consent, fulfilling legal obligations, or pursuing our legitimate interests.
We normally do not collect special category data (such as health, religious beliefs, or biometric data) during recruitment unless it’s necessary and permitted by law — for example, for disability accommodations or legal compliance.
We do not make recruitment decisions about you based on automated processing or profiling that produces legal or significant effect on your application.
We never sell your Data to anyone.
Our Websites and recruitment processes are not intended for children under the age of 18, and we do not knowingly collect Personal data from minors without appropriate consent.
4. WHAT PERSONAL DATA DO WE PROCESS?
We collect and process only the Personal data necessary for clearly defined and lawful purposes. Below is the list of specific purposes, data collected, and legal bases:
1. Collecting and evaluating your job or internship applications
What information do we collect about you:
Name, contact details, CV/resume content, qualifications, employment history, motivation letter, LinkedIn profile (if provided), and other information you provide in the application process
What is your legal basis to collect your information:
Performance of a pre-contract GDPR (Art.6(1)(b)): To start and continue the recruitment process
Data recipients:
HR recruitment system Teamtailor (Non-EEA)
2. Sourcing potential candidates (e.g. via LinkedIn or job boards)
What information do we collect about you:
Publicly available professional information e.g. LinkedIn profile, employment history, CV content, contact details
What is your legal basis to collect your information:
Legitimate interest GDPR (Art.6(1)(f)): To approach potential candidates for relevant job openings
Data recipients:
HR recruitment system Teamtailor (Non-EEA)
3. Managing referrals received from employees or other informed way
What information do we collect about you:
Name, contact details, professional background of the referred candidate, referrer’s details
What is your legal basis to collect your information:
Legitimate interest GDPR (Art.6(1)(f)): To review received candidate information provided with candidate prior knowledge
Data recipients:
HR recruitment system Teamtailor (Non-EEA)
4. Scheduling and conducting interviews (online or in person)
What information do we collect about you:
Name, contact details, availability, invitations, technical setup info (for remote interviews)
What is your legal basis to collect your information:
Legitimate interest GDPR (Art.6(1)(f)): To manage recruitment processes efficiently
Data recipients:
HR recruitment system Teamtailor (Non-EEA), Meeting organizing platform Google workspace (Non-EEA)
5. Assessing candidate suitability
What information do we collect about you:
Qualifications, experience, professional licenses, references, past employer review, internal evaluations, notes from interview, potential conflict of interest checks
What is your legal basis to collect your information:
Legitimate interest GDPR (Art.6(1)(f)): To ensure role-fit, compliance, transparency and getting all relevant information about candidate before making offer decision
Data recipients:
HR recruitment system Teamtailor (Non-EEA), Past referred employer (normally EU)
6. Storing candidate CV for future opportunities (talent pool)
What information do we collect about you:
Name, contact details, CV/resume content, education, work experience, role preferences, and other information submitted during recruitment
What is your legal basis to collect your information:
Consent GDPR (Art.6(1)(a)): To retain Data for a defined period after the recruitment process ends
Data recipients:
HR recruitment system Teamtailor (Non-EEA)
7. Preparing and entering into employment agreements with successful candidates
What information do we collect about you:
Full name, contact info, job title, salary offer, employment terms, pre-employment documentation
What is your legal basis to collect your information:
Performance of a pre-contract GDPR (Art.6(1)(b)):To complete necessary steps before entering into an employment agreement
Data recipients:
HR recruitment system Teamtailor (Non-EEA), Employment system (Non-EEA)
8. Handling inquiries, messages or complaints from candidates
What information do we collect about you:
Name, email, communication content, internal notes or investigation outcomes (if applicable)
What is your legal basis to collect your information:
Consent GDPR (Art.6(1)(a)): To communicate and resolve issues when candidate contacts us first
Data recipients:
CS system (Non-EEA)
5. FROM WHAT SOURCES DO WE RECEIVE YOUR PERSONAL DATA?
We might collect Personal data from the following source (-s):
Directly from you: when you interact with us by filling out job application forms on the Websites or contacting us directly via email;
Job search platforms and publicly available sources: such as CVonline, CVbankas, or other similar business or employment-related websites where you publicly share your personal information;
Linkedin – if your profile is publicly available, we may review it to evaluate professional experience or reach out regarding relevant opportunities;
Employee referrals: from existing employees who recommend candidates through our internal referral program;
Recruitment agencies: if you have applied through a recruitment or headhunting agency;
State employment services: such as the Employment Services under the Ministry of Social Security and Labour of the Republic of Lithuania.
6. DO WE SHARE YOUR PERSONAL DATA WITH OTHERS?
Yes - but only when necessary, and with your privacy in mind.
We may share your personal data in the following recipients in described situations, applying appropriate safeguards and limiting access strictly to what is necessary:
State Authorities – we must disclose internship or work relationship by providing your Data to competent State supervisory as required by applicable laws and regulations.
Intra-Group companies – if applicable, we may share your data within our Group companies (within the EEA) for purposes such as recruitment coordination, legal compliance, or internal administration, under appropriate intra-group agreements and access controls.
External Service Providers (Data Processors) – we work with trusted third-party service providers who help manage our recruitment process – including applicant tracking systems, cloud infrastructure, communication tools, or legal and compliance advisors. These service providers act strictly under our instructions and are bound by Data Processing Agreements (DPAs).
Public Authorities – in limited cases, we may disclose your personal data to public institutions, regulators, or courts if legally required - for example, in response to lawful requests, audits, or proceedings to establish, exercise, or defend our legal rights.
Merger or acquisition participants – in connection with a potential merger, sale of Company assets, financing, or acquisition of all or part of our business to another company, we may share your Data to other parties involved in the process.
7. DO WE PROCESS YOUR PERSONAL DATA OUTSIDE THE EEA?
Yes – but only when necessary, and always with strong safeguards in place.
Most of the time, we process and store your Personal data within the European Economic Area (EEA). However, in some cases, your Data may be transferred to trusted service providers or systems based or that have infrastructure outside the EEA – for example, when we use international recruitment platforms, cloud hosting services, or receive support from teams located abroad. When such transfers occur, we make sure your Data is protected to EU standards and that your data is afforded a level of protection.
We do this by:
Ensuring the destination country has been granted an adequacy decision by the European Commission, or
Using Standard Contractual Clauses (SCCs) approved by the European Commission, and
Applying additional technical and organisational safeguards, such as encryption and access controls.
If you’d like more information about where your Data may be transferred or what protections are in place, feel free to contact us using the details in Sections 11 of this Policy.
8. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We keep your Personal data only for as long as necessary — to complete the recruitment process, comply with legal obligations, or with your consent to stay in our talent pool. We apply defined retention periods and use secure deletion methods when the time comes.
Here’s how it works in practice:
Candidates who apply directly to job ads: Data is stored for 12 months from the date application was submitted.
Applications received via email: we kindly redirect such candidates to apply via our Websites to ensure privacy and proper processing.
Communication via email: 3 years from received date.
At the end of each period candidate will receive an automatic email asking if would like us to keep Data longer in our talent pool. If consented, Data will be stored for an additional 90 days (Headhunted or referred candidates) or 12 months (for applied candidates). If no response is received, Data will remain for a short buffer period of 3 months, after which it will be automatically irreversibly deleted. This consent collection process to keep Data in talent pool might be repeated multiple times.
Please also note, that despite settled period, you can always withdraw your consent or ask for your Data to be erased at any time. Just reach out to us via contacts stated in Section 11 of this Policy.
9. HOW DO WE ENSURE SECURITY OF YOUR DATA?
We are committed to protecting your Data and take the security of your information seriously. We apply a combination of technical and organisational measures to prevent unauthorised access, accidental loss, misuse, alteration, or disclosure of personal data.
Our security safeguard practices are based on core data protection principles and include, but are not limited to:
Collecting Data only for specified and lawful purposes,
Processing Data fairly and transparently,
Retaining Data only as long as necessary,
Limiting access to Data strictly to authorised employees,
Sharing Data with third parties only when legally justified,
Providing regular data protection training to our employees,
Conducting internal and/or external IT security audits,
Using encryption for sensitive data,
Performing regular Data backups and activity logging,
Continuously improving processes to ensure Data security,
Regularly monitor our systems for potential threats or breaches.
While we apply strong security measures, no system is entirely risk-free — especially during internet transmission. To help protect your Data, please stay vigilant online and always use a strong, unique password, keep it confidential, secure your devices, be cautious when sharing information online especially via strange links. Security incidents resulting from user actions (e.g. credential sharing or phishing) may fall outside our control.
10. WHAT ARE YOUR RIGHTS?
If we process your Data as set out in this Policy, or you believe we may be doing so, you have the following rights as a Data Subject. These rights apply regardless of whether we process your Data as a client, supplier, contractor, or professional contact:
Right to be Informed – You have the right to clear, transparent information about how we collect and use your Data. This detailed Policy aims to provide that.
Right of Access – You can ask us whether we process your Data and request a copy of the Data we hold about you.
Right to Rectification – If your Data is inaccurate or incomplete, you can ask us to correct or update it.
Right to Erasure (“Right to Be Forgotten”) – You can request that we delete your Data if it is no longer necessary, was processed unlawfully, or you withdraw consent. Please note – we may retain certain Data where required by law.
Right to Restrict Processing – You can ask us to restrict the processing of your Data – for example, while we verify its accuracy or review an objection.
Right to Data Portability – Where processing is based on your consent or a contract and carried out by automated means, you can request your Data in a structured format to be transferred to another provider.
Right to Object – You can object to processing based on our legitimate interests or for direct marketing purposes. We will stop such processing unless we have overriding legal grounds.
Right to Withdraw Consent – If we rely on your consent to process your Data, you can withdraw it at any time. This does not affect processing carried out before withdrawal.
Right to Lodge a Complaint – If you’re unhappy with how we handle your Data, please contact us first – we’ll do our best to resolve the issue, but if you are unsatisfied with the outcome you can always file a complaint to the State Data Protection Inspectorate https://vdai.lrv.lt
Please note: Your rights are not absolute. In some cases, the exercise of your rights may be restricted under applicable data protection laws for example, where fulfilling your request would adversely affect the rights and freedoms of others, or where we are legally required to retain certain personal data (e.g. for compliance, legal claims, or regulatory purposes).
11. HOW TO CONTACT US OR EXERCISE YOUR RIGHTS?
If you have questions about this Policy, how we handle your Personal data, or wish to exercise your data protection rights, we’re here to help – you can reach out to us in the following ways:
Visit the Data & Privacy section on our Career Site – where you may find tools to manage your personal data preferences;
Log into your Candidate account, where you can update your information or manage your privacy settings directly;
Or simply contact us by email at: dpo@orbio.world
To help us respond quickly, please:
Clearly describe your request or concern;
Specify which right you want to exercise (if applicable);
Provide enough information for us to confirm your identity (we may ask for ID or verification);
Include any other helpful details.
If you're acting on behalf of someone else, please send us signed, written permission confirming your authority to do so.
We aim to respond within one month of receiving your request. If your case is complex or involves multiple requests, we may need more time – in which case, we’ll let you know and explain why.
END OF CANDIDATE’S PRIVACY POLICY