Candidate Privacy Policy
This policy was last updated in January 2024.
GENERAL INFORMATION
We, at Varonis Systems, Inc. and our subsidiaries (Collectively, “we”, the "Company" or “Varonis”), respect the privacy of our job seekers, who provide us Personal Information (as defined below) within the natural framework of our relationship. We are committed to respect your privacy, and we recognize the need for appropriate protections and management of Personal Information that you provide to us.
WHAT INFORMATION DO WE PROCESS AND HOW WE COLLECT IT
We collect personally identifying or identifiable information (hereinafter “Personal Information”) that is provided to us during the recruitment process. Personal Information does not include anonymous or non-Personal Information (i.e., information that cannot be associated with or tracked back to a specific individual). Most of the information is provided to us directly and knowingly by you.
We may collect, store, use and process all or some of the following categories of Personal Information about you:
- Personal details - Such as your name, addresses, telephone numbers, personal email addresses, date of birth, identification number, as well as a copy of your ID, passport or driving license.
- Information collected for the purposes of your recruitment - Including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process, such as past employment records, job titles, training records, professional certifications.
- CCTV - Part of our security ecosystem, we may use CCTV systems to monitor physical access, we limit access to the application and database to a need to know basis.
Varonis generally collects Personal Information directly from you, the candidate. From time to time, Varonis may receive Personal Information about you collected from third parties we do business with, in the course of our business interactions (e.g. background check agencies or recruiters). In those circumstances, Varonis will take reasonable steps to ensure that those third parties have represented to us that they have the right to disclose your Personal Information to us.
WHAT ARE THE CONDITIONS FOR PROCESSING OF PERSONAL INFORMATION?
The legal basis for processing your Personal Information is your consent, and Varonis' legitimate Interest, as the processing of the data Is intended to carry out acts directly linked to the screening process or is otherwise reasonably necessary for one or more of our functions, activities, or to compliance with legal obligations which Varonis is subject to and the smooth and effective operation of Varonis.
HOW DO WE USE THE INFORMATION WE COLLECT?
We use the Personal Information for legitimate business purposes, only to the extent required or otherwise reasonably necessary for one or more of our functions or activities, and while maintaining your right to privacy. Such legitimate business purposes include:
- To assess your candidacy, for example, making a decision about your recruitment, employment or termination.
- To comply with a legal or regulatory obligation, for example, checking you are legally entitled to work in the country where you are employed by us.
- Where it is necessary for our, or yours, legitimate interests (or those of a third party) as long as your fundamental rights do not override those interests.
If you fail to provide certain information when requested, we may not be able to proceed with the screening or hiring process, or we may be prevented from complying with our legal obligations.
We will only use your Personal Information for the purposes for which we collected it. If we need to use your Personal Information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
We may use your Personal Information without your knowledge or consent where we are permitted or required by applicable law or regulatory requirements to do so. For example, we may use and/or disclose Personal Information, or any information you submitted to us, if we have a good faith belief that use and/or disclosure of such information is helpful or reasonably necessary to: (i) comply with any applicable law, court/tribunal order, regulation, legal process, including alternative dispute resolution process, or governmental request; (ii) enforce our policies, including investigations of potential violations thereof; (iii) investigate, detect, prevent or take action regarding illegal activities or other wrongdoing, suspected fraud or security issues; (iv) to establish or exercise our rights to defend against legal claims; (v) lessen or prevent harm or serious threat to the rights, property life, health or safety of us, our users, yourself or any third party; (vi) locating a person reported as missing; or (vii) for the purpose of collaborating with law enforcement agencies or in case we find it necessary in order to enforce intellectual property or other legal rights.
HOW DO WE USE SENSITIVE PERSONAL INFORMATION?
We will, if necessary, process special categories of Personal Information in the following circumstances:
- Information about criminal convictions and offences - We will only collect information about criminal convictions if it is appropriate given the nature of the role and where we are legally able to do so. Where appropriate, we will collect information about criminal convictions as part of the recruitment process or we may be notified of such information directly by you in the course of you working for us.
- Your Consent - In some circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
SHARING PERSONAL INFORMATION WITH THIRD PARTIES; INTERNATIONAL DATA TRANSFERS
Where required by law, necessary to administer the working relationship with you or where we have another legitimate interest in doing so, we may have to share your Personal Information with the following third parties:
- Other entities within Varonis group - We may share your Personal Information with other entities in our group as part of our regular reporting activities on Company performance and in the context of a business reorganization or group restructuring exercise.
- Recruiters - We may share your Personal Information with third party recruiters working with us, hiring managers and other interviewers. Often these individuals will be based in the country where the position is based, but in some cases, they may be located in other countries.
- Service providers, for example,
- Providers of recruiting or talent acquisition systems.
- Companies contracted to perform candidate background screenings. These companies may be based in another country and may obtain data from other countries where you have lived, worked or studied, as may be relevant as part of a background check.
- Government Departments
- Law enforcement, governmental authorities and regulators – For example, where legal reporting requirements may exist, or law enforcement agencies or private litigants in response to valid law enforcement process (warrant, subpoena, or court order).
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your Personal Information. We do not allow our third-party service providers to use your Personal Information for their own purposes. We only permit them to process your Personal Information for specified purposes and in accordance with our instructions.
Since we operate globally, it may be necessary to transfer, store and process Personal Information in a country in which we or our affiliates, subsidiaries, service providers or partners maintain facilities, such as the United States, Israel, United Kingdom, Australia, Singapore and the European Union (in particular, France, Germany, Ireland, Netherlands, Belgium and Luxemburg). The data protection and other laws of these countries may not be as comprehensive as those in your jurisdiction of residence. EU and UK residents, please note that we may transfer your Personal Information to countries outside the EEA or the UK. in these instances we will take steps, as required by applicable law, to ensure that a similar level of protection is given to Personal Information, including, when applicable, through contractual means (for example, when the GDPR or UK law applies, we will rely on the standard contractual clauses approved by the European Commission for data transfers, the UK International Data Transfer Addendum (IDTA), or transfer data only to recipients located in jurisdictions which were granted an “adequacy decision” with regard to their level of protection of personal data by the European Commission).
HOW LONG DO WE RETAIN THE INFORMATION WE COLLECT?
Unless you instruct us otherwise for justified reasons, we retain the information we collect for as long as we believe is needed to operate our business, to fulfill the purposes listed in this Privacy Policy and to comply with our legal obligations, resolve disputes and enforce our agreements and policies (including exercising any of our rights under our agreements, such as audit and record-keeping). We may, instead of destroying or erasing your Personal Information, make it anonymous such that it cannot be associated with or tracked back to you.
In Varonis offices where CCTV cameras are installed, the footage of such cameras is retained for six months (unless a specific need arises).
HOW DO WE SAFEGUARD YOUR INFORMATION?
We are committed to making reasonable efforts, in accordance with market best practices, to ensure the security, confidentially and integrity of the Personal Information you provide us and to protect your Personal Information from loss and unauthorized access, copying, use, modification or disclosure. Access to the Personal Information is based on the ‘need to know’ concept together with role-based access control systems, ensuring only authorized access to the Personal Information. To protect the privacy of any Personal Information you may have provided, we are using data hosts who implement market best practice security measures. Although we take steps to safeguard such information, we cannot be responsible for the acts of those who gain unauthorized access by using your credentials, and we make no warranty, express, implied or otherwise, that we will prevent such access. If a password is used to help protect your accounts and Personal Information, it is your responsibility to keep your password confidential.
WHAT ARE YOUR RIGHTS?
We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your Personal Information. Depending on your relationship with us, your jurisdiction and the applicable data protection laws that apply to you, you have the right to control and request certain limitations or rights to be executed.
The following table describes all the rights you are entitled to. Please note that some rights are only available for residents of certain jurisdictions. Please also note that these rights are not absolute, and may be subject to our legitimate interests and regulatory requirements.
Right type |
EU and UK Residents Right |
Virginia, Colorado, Connecticut and Utah Residents Rights |
California Privacy Laws |
Details |
---|---|---|---|---|
The right to know and access what Personal Information the business has collected |
V |
V |
V |
The right to know what Personal Information we collected, including the categories of Personal Information, the sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we disclose Personal Information, and the specific pieces of Personal Information we collected about you. |
Deletion Rights |
V |
V |
V |
The right to delete Personal Information that we collected from you, subject to certain exceptions. |
Correct Inaccurate Data |
V |
V (Excluding Utah residents) |
V |
The right to correct inaccurate Personal Information that we maintain about you. |
Opt-Out of Sharing for Cross-Contextual Behavioral Advertising |
N/A |
V |
V |
You have the right to opt-out of the “sharing” of your Personal Information for “cross-contextual behavioral advertising” (all as defined under the CCPA), often referred to as “interest-based advertising” or “targeted advertising”. |
Opt-out from selling |
N/A |
V |
V |
The right to opt-out of the "sale" or "sharing" (as defined under the CCPA) of Personal Information. |
Limit the Use or Disclosure of Sensitive Personal Information (SPI) |
N/A |
N/A |
V |
You have the right to request to limit the collection of your SPI to that use which is necessary to maintain our Service. |
Opt-out from profiling in furtherance of decisions that produce legal or similarly significant effects concerning the user |
N/A |
V |
N/A |
You have the right to request to opt-out from processing involving profiling, in furtherance of decisions that produce legal or similarly significant effects concerning you. |
Opt-Out of the Use of Automated Decision Making |
V |
N/A |
N/A |
In certain circumstances, you have the right to opt-out of the use of automated decision making in relation to your Personal Information. |
Non-Discrimination |
N/A |
V |
V |
The right not to receive discriminatory treatment by us for exercising your privacy rights, including denying goods or services, charging different prices or rates for goods or services, providing a different level or quality of goods or services, etc. We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by your Personal Information. |
Data Portability |
V |
V |
V |
You may request to receive a copy of your Personal Information, including specific pieces of Personal Information, including, where applicable, to obtain a copy of the Personal Information you provided to us in a portable format. |
Restriction or Objection to Processing |
V |
N/A |
N/A |
You have the right to object the processing of your Personal Information, unless certain exceptions apply. |
Withdrawal of Consent |
V |
N/A |
N/A |
If Personal Information is processed on the basis of your consent, you have the right to withdraw it at any time. |
If you wish to exercise your data protection rights or raise a complaint on how we have handled your Personal Information, please feel free to reach out to us at the contact details provided below. In addition, you have the right to lodge a complaint with the supervisory authority, as detailed below.
UPDATES OR AMENDMENTS TO THIS PRIVACY POLICY
We may revise this Privacy Policy from time to time, in our sole discretion, and the most current version will be available on our website. We encourage you to review this Privacy Policy regularly for any changes.
Your continued communication with Varonis following such amendments, constitutes your acknowledgement and consent of such amendments to this Privacy Policy and your agreement to be bound by the terms of such amendments.
HOW TO CONTACT US
If you wish to exercise any of the rights mentioned herein, inquire regarding this privacy policy or the information that we collect about you, or if you feel that your privacy was treated not in accordance with this Privacy Policy, you may contact our Data Protection Officer at privacy@varonis.com.
If you wish we stop processing and delete your personal information, please email: privacy@varonis.com. If you are unsatisfied with our response, you can reach out to the applicable data protection authority:
- The Data Protection Commissioner in Ireland at Canal House, Station Road, Portarlington R32 AP23 Co. Laois R32 AP23, Ireland.
- If the UK GDPR applies: The Information Commissioner's Office's Data Protection and Personal Information Complaints Tool.
- Personal Data Protection Commission, 10 Pasir Panjang Road #03-01, Mapletree Business City, Singapore 117438, +65 6377 3131, info@pdpc.gov.sg.
- The Office of the Australian Information Commissioner, GPO Box 5218 Sydney NSW 2001, +61 1300 363 992, enquiries@oaic.gov.au.
* * *
ADDITIONAL PRIVACY NOTICE FOR U.S RESIDENTS
This part of the Policy addresses the specific disclosure requirements under the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and the regulations enacted thereunder (collectively: "CCPA"), the Virginia Consumer Data Protection Act, Va. Civ. Code § 59.1 ("VCDPA"), the Colorado Privacy Act, 2021 Colo. ALS 483; 2021 Colo. Ch. 483; 2021 Colo. SB. 190 ("CPA"), the Connecticut Data Privacy and Online Monitoring Act, Conn. Gen. Stat. §42-515 et. Seq. ("CTDPA"), the Utah Consumer Privacy Act, Utah Code Ann. Title 13, Ch. 61 ("UCPA") (collectively: "US Applicable Laws").
Most of the statements, rights and obligations under this part are common to all US Applicable Laws and apply to you only to the extent determined in the applicable law according to your residency.
Collection, disclosure and sharing of Personal Information
In the 12 preceding months, we may have collected and disclosed the following categories of Personal Information:
Sources of Personal Information:
- Directly from the candidate.
- Recruitment agencies and similar HR service providers
Categories of service providers to whom Personal Information was disclosed:
In the 12 preceding months, we may have collected and disclosed the following categories of Personal Information:
Category |
Personal Information collected |
Categories of service providers to whom Personal Information was disclosed |
---|---|---|
A. Identifiers |
Name and contact information (full name, home address, phone number and), date of birth, etc. |
· Cloud Services · Communication and messaging applications · Third parties assisting us in our business operations · HR management service providers · Recruiters working with us |
B. Professional or employment-related information |
Past employment history and evaluations. |
· Cloud Services · Recruiters working with us |
C. Education Information |
Including information about your educational background, such as education records and transcripts that are not publicly available. |
· Cloud Services Recruiters working with us |
In addition, in the past 12 months, we may have collected the following categories of Sensitive Personal Information:
Category of Personal Information Collected |
Personal Information Collected |
Categories of service providers to whom Personal Information was disclosed |
A. Government Identifies |
Government identification numbers (such as social security numbers, tax payer ID's and driver’s license) |
· Cloud Services · HR management service providers |
We do not sell or share Personal Information, as these terms are defined under US Applicable Laws.
We may transfer Personal Information to third parties as assets that are part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Company. Such transfer will be handled according to the requirement of the U.S Applicable Law and shall not be regarded as a sale of Personal Information under U.S Applicable Law.
Purposes for collection and disclosing of Personal Information
Our purposes for collecting and disclosing Personal Information can be found above, under the section “How do we use the information we collect”.
Exercising Your Rights
You can exercise your rights (such as deletion) by submitting a verifiable consumer request using the contact details specified in the "How to contact us" section above, in accordance with the instruction provided herein.
Only you or a person authorized to act on your behalf may make a consumer request related to your Personal Information.
The request must:
- Provide sufficient information to allow us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
- Describe your request with sufficient details to allow us to properly understand, evaluate, and respond to it.
- We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
You may only request a copy of your data twice within a 12-month period.
If you have any general questions about the Personal Information that we collect about you how we use it, please contact us using the contact details specified in the "How to contact us" section above.
If you are a Virginia resident, you have the right to appeal a rejection to your request. The appeal request shall be submitted using the contact details specified in the "How to contact us" section above.
If your appeal is denied, you may lodge a complaint with the Virginia Attorney General through the contact information available here: https://www.oag.state.va.us/contact-us/contact-info or file the complaint at: https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.
Response Timing and Format
Our goal is to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing within the first 45 days period. We will deliver our written response, by mail or electronically, at your option. Any disclosures we provide will cover only the 12-month period preceding the request. If reasonably possible, we will provide your Personal Information in a format that is readily useable and should allow you to transmit the information without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
In case of rejection, the response we provide will explain the reasons for which we cannot comply with your request.
Please note that these U.S Applicable Law rights are not absolute and requests are subject to any applicable legal requirements, including legal and ethical reporting or document retention obligations.
Designating Agents
If you are a California resident, you can designate an authorized agent to make a request on your behalf if:
- The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and
- You sign a written declaration that you authorize the authorized agent to act on your behalf.
If you use an authorized agent to submit a request to exercise your right to know or your right to request deletion, please mail a certified copy of your written declaration authorizing the authorized agent to act on your behalf using the contact information below.
If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA or the CPRA.
We may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.
Non-Discrimination
Unless permitted by the U.S Applicable Law, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.