1. Purpose
- 1.1 Nevro Corp. and its affiliates (collectively, “Nevro”, “we” or “us”) are committed to protecting and respecting your privacy. This Applicant Privacy Notice (“Notice”) aims to give job applicants (“Applicants”) of Nevro, information on how their personal data (i.e., information which directly or indirectly identifies an applicant) (“Personal Data”) is processed by Nevro when they apply for a role or vacancy with Nevro.
- 1.2 This Notice shares information about the types of Personal Data we collect, how we may use or disclose it, and how we maintain its security.
- 1.3 If you are applying for a role with a Nevro entity in the EU or the UK, that entity is the controller with respect to your Personal Data. The contact details for each Nevro employing entity are set out in Annex I below.
- 1.4 If you are a California resident, this notice also informs you of your rights, and how you may exercise them, under the California Consumer Privacy Act (“CCPA”).
2. Processing of Personal Data
- 2.1 Nevro will process Personal Data in accordance with applicable privacy and data protection laws and regulations (“Data Privacy Requirements”). If Applicants do not provide certain information when requested, we may not be able to process the application successfully, or we may be prevented from complying with our legal obligations.
3. Sources of Personal Data
- 3.1 In the 12 months preceding the date of this Notice, we collected Personal Data through the application and recruitment process, either directly from an Applicant or indirectly via recruitment agencies. Nevro may sometimes collect additional information from third parties such as referrers, background check providers, any LinkedIn account that may be maintained by the Applicant, and other information from publicly available sources.
- 3.2 Our recruitment efforts are not directed to minors under the age of 18 and we do not knowingly collect or sell the personal information of minors, including minors under 16 years of age.
4. Types of Personal Data
- 4.1 Nevro processes the following types of Personal Data for the purposes set out in this Notice (subject to any local Data Privacy Requirements):
- (a) Personal Identifiers: contact information (e.g., name, home and business address, phone numbers and email addresses); government identification numbers (e.g., social security number, driver’s licenses, and passports).
- (b) Official Documents: work authorization status;
- (c) Professional and educational information: academic and professional details (such as employment history, level of education, skills), CV/resume, language proficiencies and other work-related skills, information provided by references, cover letter, transcripts, photographs, videos, articles and comments, employment preferences (such as preferred language, willingness to relocate, salary and desired salary);
- (d) Data Concerning Criminal Convictions and Offences: where Nevro carries out background checks on applicants this may involve the processing of criminal record data and this will only be processed where such processing is specifically authorized or required by law];
- (e) Protected class information and other special categories of personal data: where you voluntarily provide certain information, Nevro may process protected class information including race; religion; ethnicity; sexual orientation; veteran status; national origin; medical leave information; and disability status;
- (f) Visual information: including images collected by closed circuit cameras we use in our offices or recordings of videoconferences;
- (g) Any other information which may be voluntarily disclosed by the Applicant in the course of the application process; and
- (h) Any inferences drawn from the above categories of personal information.
5. Purposes and Legal Bases of the Processing of Personal Data
- 5.1 Personal Data may be processed by Nevro for the purposes set out below subject to any local Data Privacy Requirements:
Category of Personal Data
|
Purpose of Processing
|
Lawful Basis
|
Categories (a)-(c)
|
Making a decision about the Applicant’s recruitment or appointment, including the right to work
|
This is necessary to enter into a contract with Applicants (Article 6(1)(b), GDPR)
Nevro has a legal obligation to do so (Article 6(1)(c), GDPR)
|
Categories (a)-(c), (f)
|
Managing the recruitment process, including assessing the Applicant’s skills, qualifications and suitability for the role
|
We have a legitimate interest to ensure that we appoint a suitable and qualified applicant to the relevant Nevro role (Article 6(1)(f), GDPR)
To be able to manage and perform contracts with applicants (Article 6(1)(b), GDPR).
|
Categories (a)-(c), (f)
|
Maintaining records regarding the recruitment process
|
Nevro has a legitimate interest to ensure that we maintain accurate and comprehensive records regarding the recruitment process (Article 6(1)(f), GDPR)
Nevro has a legal obligation to do so (Article 6(1)(c), GDPR)
|
Category (a)
|
Communicating with the Applicant, recruitment agents and other vendors and business associates
|
Nevro has a legitimate interest to ensure that communicates promptly and effectively regarding the recruitment process (Article 6(1)(f), GDPR)
|
All categories of Personal Data
|
Carrying out audits and to investigate and resolve complaints, grievances or misconduct
|
Nevro has a legitimate interest to manage its business (Article 6(1)(f), GDPR)
Nevro may have a legal obligation to do so (Article 6(1)(c), GDPR)
|
All categories of Personal Data
|
Preparing for and acting in relation to enquiries, investigations or proceedings, by governmental, administrative, judicial or regulatory authorities, including civil litigation; and complying with other legal requirements
|
Nevro has a legitimate interest to manage its business and to ensure that all investigations and proceedings are managed efficiently and effectively (Article 6(1)(f), GDPR)
Nevro may have a legal obligation to do so (Article 6(1)(c), GDPR)
|
All categories of Personal Data
|
Providing reasonable diligence material to a third party or meeting any disclosure obligations in connection with a potential asset or stock sale or acquisition or reorganization of Nevro
|
Nevro has a legitimate interest to manage its business (Article 6(1)(f), GDPR)
|
Special Categories of Personal Data
|
Data relating to health
|
We will use information about Applicants’ physical or mental health, or disability status, to ensure health and safety in the workplace and to assess Applicants’ fitness to work and to provide appropriate workplace adjustments
|
To comply with employment laws and other laws (Article 9(2)(b), GDPR)
Where necessary for reasons of substantial public interest, on a lawful basis (Article 9(2)(g), GDPR)
|
Criminal Convictions and Offences Data
|
Criminal convictions and offences data
|
Nevro may process Personal Data relating to criminal convictions and offences to determine whether Applicants should be offered or continue in a role with the organisation
|
Nevro may have a legitimate interest to determine whether an Applicant is suitable for a particular role in the organization (Article 6(1)(f) and 10, GDPR)
|
Right to Object – Please note that Applicants may a right to object to the processing of their Personal Data where that processing is carried out for our legitimate interests. Please note however that we may not be able to fulfil this request in all instances.
6. Disclosure of Personal Data and Recipients
- 6.1 The following chart describes the categories of Personal Data that we disclosed to third parties for a business purpose in the 12 months prior to the date of this Notice.
Categories of Consumers’ Personal Information
|
Categories of Third Parties With Which We Shared Personal Information for a Business Purpose
|
Personal identifiers and official documents: name, contact details, address, social security number, driver’s license information or passport information, work authorization forms
|
Service providers that assist in providing human resource functions; facilitate scheduling and email communications; provide security services and cloud-based data storage, assist with other IT-related functions; provide hiring analytics; provide legal services; host or facilitate teleconferencing or video conferencing services
|
Protected class information and other special categories of personal data: race, ethnicity, and other diversity data; sexual orientation; gender identity or expression; age; national origin; veteran’s status
|
Service providers that assist in providing human resource functions; provide hiring analytics; provide legal and services
|
Professional and educational information: records of your work history, background check information, references, job descriptions, education history, certificates obtained
|
Service providers that assist in providing human resource functions; facilitate scheduling and email communications; provide hiring analytics; provide legal and accounting services
|
Visual information: images collected by closed circuit cameras we use in our offices for security reasons
|
Service providers that assist in providing building security functions or video conferencing services
|
- 6.2 Additional Information About How We May Disclose Personal Data: Subject to applicable law, we may also share Personal Data with the following parties.
- (a) Nevro affiliates (including Nevro in the U.S.);
- (b) third parties to help detect and protect against fraud or data security vulnerabilities;
- (c) third parties in the event of an actual or potential sale, merger, reorganization of our entity; or
- (d) as required or permitted by law, including to comply with a legal summons or similar legal process or government request, or when Nevro believes in good faith that disclosure is legally required or Nevro has a legitimate interest in making a disclosure, such as where necessary to protect Nevro’s rights and property
7. Transfer of Personal Data outside the European Economic Area and/or the United Kingdom
- 7.1 Given the global nature of Nevro’s activities, Nevro will, for the above listed purposes, transfer Personal Data to other recipients as referred to above, that are located outside the European Economic Area (“EEA”) and/or the United Kingdom (“UK”) including in the U.S., and which are not considered by the European Commission or the UK Government (as applicable) to provide an adequate level of data protection.
- 7.2 Personal Data will only be transferred from the EEA and/or the UK to a recipient in a country which is not considered to provide an adequate level of data protection when the transfer is in compliance with applicable Data Privacy Requirements.
- 7.3 Nevro has entered into EU standard contractual clauses (“SCCs”) for controller to controller transfers of personal data, including Personal Data, from Nevro in the EU/UK to Nevro in the U.S.. Applicants can request a copy of the SCCs by contacting privacy@nevro.com.
- 7.4 Where Nevro transfers Applicants Personal Data to recipients outside of the EEA and/or the UK, Nevro has entered, or will enter, into SCCs with the recipient or seek assurances from the recipient that they have Binding Corporate Rules in place.
8. Securing Personal Data
We take reasonable steps to ensure the security of Personal Data. We maintain appropriate administrative, technical, and physical safeguards designed to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, and destruction. We maintain a Corporate IT Security Policy and use tested access and security controls to ensure that the Personal Data is safe. We also require that third party service providers acting on our behalf or with whom we share your information also provide such security measures in accordance with industry standards. You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. Accordingly, while our reasonable security program is designed to manage data security risks and thus help prevent data security incidents and breaches, it cannot be assumed that the occurrence of any given incident or breach results from our failure to implement and maintain reasonable security.
9. Retention
Nevro will retain Personal Data for no longer than is necessary for the purposes for which Nevro is processing such Personal Data, in accordance with its record retention policy, and as follows: (i) for the duration of the application process; (ii) if the application was unsuccessful, after the notice of rejection, for as long as necessary in order to resolve any queries or disputes; and (iii) in the case of a legal or regulatory obligation requiring us to retain specific records for a set period of time, for that period of time.
10. Rights of Applicants (EEA/UK)
Under applicable data protection laws, you may have a right to (subject to a limited number of exceptions): (i) request access to and rectification or erasure of your Personal Data; (ii) obtain restriction of processing or to object to processing of your Personal Data; (iii) ask for a copy of your personal data to be provided to you, or a third party, in a digital format; and (iv) withdraw your consent to the processing of your Personal Data where this is the legal basis Nevro is relying on for the processing. The withdrawal of consent does not affect the lawfulness of Nevro’s processing of Personal Data based on such consent before the withdrawal. You also have the right to lodge a complaint about the processing of your Personal Data with the applicable data protection authority.
11. Rights of Applicants (California)
If you are a resident of California, this section describes your rights under California law. If you exercise any of the rights explained in this section, we will continue to treat you fairly.
- 11.1 Your Right to Access Information We Collect and Share About You
We are committed to ensuring that you know what personal information we collect. To that end, you can ask us for the following information from us with respect to the personal information that we’ve collected about you in the 12 months prior to our receipt of your request:
- Specific pieces of personal information we have collected about you;
- Categories of personal information we have collected about you;
- Categories of sources from which such personal information was collected;
- Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
- Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
- The business or commercial purpose for collecting or selling your personal information.
- 11.2 Your Right to Request Deletion of Personal Data We Have Collected From You
Upon your request, we will delete the personal information we have collected about you, except for situations where the CCPA authorizes us to retain specific information, including when it is necessary for us to operate our business and support your functioning as our employee or contractor; perform a contract we entered into with you; maintain the functionality or security of our systems; or comply with or exercise rights provided by the law. The law also permits us to retain specific information for our exclusively internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us.
- 11.3 Exercising Your Rights and How We Will Respond
If you exercise any of the rights provided under California law, we will continue to treat you fairly. To exercise your access or deletion rights, or to ask us a question, please contact us at privacy@nevro.com.
For requests for access or deletion, we will first acknowledge receipt of your request within 10 business days of receipt of your request. We will then provide a substantive response to your request as soon as we can, generally within 45 days from when we receive your request, although we may be allowed to take longer to process your request in certain jurisdictions or under certain circumstances.
If we expect your request is going to take us longer than normal to fulfil, we will let you know.
We usually act on requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations.
In some cases, the law may allow us to refuse to act on certain requests. When this is the case, we will endeavour to provide you with an explanation as to why.
- 11.4 Verification of Identity for Access or Deletion Requests
We will ask you for two pieces of personal information and attempt to match those to information that we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of the denial.
- 11.5 Authorized Agents
You may designate an agent to submit requests on your behalf. The agent can be a natural person or a business entity that is registered with the California Secretary of State.
If you would like to designate an agent to act on your behalf, you and the agent will need to comply with our verification process. Specifically, if the agent submits requests to access, know or delete your personal information, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the request on your behalf. We will also require that you verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request.
Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with California law pertaining to powers of attorney.
12. Changes to this Notice
We will review and update this Notice as required to keep current with rules and regulations, new technologies and security standards. We will post those changes on the website or update the Privacy Notice modification date below. In certain cases and if the changes are material, you will be notified via email or a notice on our website.
13. Accessibility
We are committed to ensuring that our communications are accessible to people with disabilities. To make accessibility-related requests or report barriers, please contact us at Benefits@nevro.com.
14. Enquiries, Requests or Concerns
All enquiries, requests or concerns regarding this Notice or relating to the processing of Personal Data including all requests as detailed in Section 10 or Section 11 above, should be sent to privacy@nevro.com.
Annex I – Nevro Employing Entities
Jurisdiction
|
Entity Name
|
Contact Details
|
Australia
|
Nevro Medical Pty Limited
|
Email: privacy@nevro.com
Address: Level 14/440 Collins Street, Melbourne, VIC 3000, Australia
|
Belgium
|
Nevro Medical Limited (acting through its Belgian branch office)
|
Email: privacy@nevro.com
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|
Costa Rica
|
Nevro Medical S.R.L
|
Email: privacy@nevro.com
Address: Building 28C, Coyol Free Trade Zone, Alajuela, 20113, Costa Rica
|
Ireland
|
Nevro Medical Limited
|
Email: privacy@nevro.com
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|
Germany
|
Nevro Medical Limited (acting through Nevro Germany GmbH)
|
Email: nevro@iitr.de
Address: Prielmayerstraße 3, 80335 München
|
Luxembourg
|
Nevro Medical Limited
|
Email: privacy@nevro.com
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|
Netherlands
|
Nevro Medical Limited
|
Email: privacy@nevro.com
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|
Norway
|
Nevro Medical Limited
|
Email: privacy@nevro.com
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|
Sweden
|
Nevro Medical Limited
|
Email: privacy@nevro.com
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|
Switzerland
|
Nevro Medical Limited (acting through Nevro Medical SAGL)
|
Email: privacy@nevro.com
Address: Christoph Merian-Ring 11, 4153 Reinach
|
United Kingdom
|
Nevro Medical Limited
|
Email: privacy@nevro.com
Address: Carrick House, Lypiatt Road, Cheltenham, Gloucestershire, GL50 2QJ
|
United States
|
Nevro Corp.
|
Email: privacy@nevro.com
Address: 1800 Bridge Parkway, Redwood City, CA 94065
|