Last modified: February 2021

Notice of privacy and processing of Candidate Personal Data

Palantir Technologies Inc. and our subsidiaries worldwide (“Palantir” or “we”) are committed to complying with data protection legislation, including the data protection regime introduced by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) and California’s new Consumer Privacy Act (“CCPA”). This Notice of Privacy and Processing of Candidate Personal Data (the “Candidate Privacy Notice”) describes the “personal data” (i.e. information about an identified or identifiable individual or which is otherwise protected by applicable law) that we collect about our candidates (the “Candidate Data”) when they apply for a role or work at Palantir (whether as an employee, worker or contractor), what we do with that information, how and why your personal data will be used, namely for the purposes of the recruitment exercise, how long it will be retained for, and what rights apply to candidates who are covered by the GDPR (the “Candidate(s)”). We continue to update this Candidate Privacy Notice as similar rights become available for Candidates under the CCPA.

1. Who is responsible for the processing of Candidate Data?

Palantir is the so-called “Data Controller,” which decides why and how Candidate Data is collected, held and processed when Candidates apply for a role or work at Palantir.

2. What type of Candidate Data do we collect, and how is it collected?

For prospective, current, and former Candidates, at the start of the application process, we typically collect:

• Identifiers and contact information (e.g. full name, title, phone number, address, personal email address,).
• Education (e.g. university attended) and employment information (including the information about the past and current employer).
• CV / resume, which typically describes professional experiences, qualifications, education, and other information that the Candidate voluntarily includes (including any cover letter).
• Information regarding how the Candidate heard of the position.
• Country the Candidate is applying from, a representation that they are legally authorized to work in the country where the position is based, and whether the Candidate needs sponsorship for employment visa status.
• Optional links to the Candidate’s professional profile / page (e.g. LinkedIn URL, GitHub URL, Portfolio URL).
• Responses to application questions, such as: What has been your favorite project or proudest accomplishment? Why? Why do you want to work at Palantir?
• Optional additional information that the Candidate voluntarily provides as part of the initial application process e.g. date of birth, job preferences, willingness to relocate, desired salary and benefits.
• Depending on the role or work, we may request information on language skills, a cover letter, sample of work, or engagement in various testing activities prior to interview.

In some cases, usually where Candidates volunteer it, the personal data that we process will also include special categories of data and/or information about protected legal categories, such as diversity-related information (including data about racial, national and ethnic origin, religious, political, philosophical or moral beliefs, age, trade-union membership, sexual orientation and veteran status) and health related data (including data about any disabilities). We may also collect socio-economic data relating to a Candidate, where Candidates volunteer it.

If a Candidate is selected for an interview and requests an accommodation during the interview process, we may also collect health related data as provided by the Candidate (including data about any disabilities) in connection with an accommodation request.

If a Candidate advances in the application process, we will usually collect additional information about the Candidate during the interview process, such as:

• Additional education and employment information (e.g. employment dates with a Candidate’s current / prior employers, positions held, etc.).
• Interview performance evaluation and scores / assessments from testing conducted as part of the interview process.
• Areas of expertise and interest.
• Information relevant to arranging Candidate travel to Palantir offices (which may include gender / date of birth if applicable), if needed for interview purposesOther information that Candidates choose to disclose during the interview process.

Candidates will not be subject to decisions that will have a significant impact on them based solely on automated decision-making.

Information submitted as part of the application process, which includes any CVs/resumes, assessments and interviews, must be true, accurate, complete, and not misleading. Any false or misleading statements or omissions made by Candidates during the application process may be sufficient cause to justify the rejection of a Candidate’s application or, if the Candidate has already become an employee, worker or contractor the immediate termination of the arrangement, in accordance with applicable law.

If a Candidate successfully completes the interview process and accepts an offer of employment or contract with Palantir, then prior to the start of their employment we may collect additional Candidate Data (e.g. data to verify work eligibility, data regarding alleged or proven criminal offenses, to the extent permitted by applicable law). Additional information about this process will be provided to individuals who receive and accept an offer of employment or contract with Palantir.

In some cases, the personal data we collect from Candidates is needed to meet our legal or regulatory obligations. If so, we will indicate that the provision of this information is mandatory.

Additionally, as part of the recruitment and application process, Palantir may also collect Candidate Data indirectly from third parties, such as:

• Recruitment agencies that Candidates use to apply to Palantir.
• Personal references and/or referrals submitted by Palantir personnel.
• Publicly available sources such as business- and employment-oriented social networking services and job boards where Candidates may post their information.
• Paid and unpaid recruiting services used to obtain Candidate contact information in connection with recruiting efforts.
• Background check providers (if Candidates receive and accept an offer of employment or contract with Palantir).
• Vendors who support us with pre-employment screening.
• Vendors who manage online testing as part of the interview process.
• Vendors who facilitate interview travel (including immigration advisors such as lawyers and consultants to support with any travel visas) and expenses.

3. What do we use Candidate Data for?

We process Candidate Data in order to:

• review your application;
• undertake recruitment activities, such as determining the suitability of a Candidate’s qualifications, checking for existing or potential conflicts of interest or any other restrictions which may impact your suitability for the role or work;
• to verify the information and carry out background or reference checks, where applicable;
• undertake business management/security and employment planning activities, where permitted;
• reply to official requests from a public or judicial authority with the necessary authorization;
• assisting you with obtaining the appropriate immigration or work permits (if applicable);
• plan, prepare for and implement any future merger, acquisition, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of Palantir’s assets, in which Candidate Data is among the assets transferred;
• communicate to you about the recruitment process;
• keep records related to our hiring process;
• making improvement’s to Palantir’s recruitment process and supporting various recruitment initiatives;
• supporting various diversity initiatives (subject to your consent if applicable); and
• comply with any legal obligations imposed on Palantir in relation to its recruitment practices and record retention obligations. We may collect, store and use the following special categories of data, which could include:
• information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made e.g. during an interview;
• information about your race or national or ethnic origin, religious, political, philosophical or moral beliefs or your sexual orientation or veteran status or socio-economic data, to ensure meaningful equal opportunity monitoring and reporting;
• information about criminal convictions and offences (where the nature of the job requires it and where permitted by local law).

If you do not provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully. For example, if we require a credit check or references for the role or work and you fail to provide us with the relevant details, we will not be able to take your application further.

4. What’s the legal basis for why we use Candidate Data?

In certain jurisdictions, we are not allowed to process Candidate Data if we do not have a valid legal basis. Therefore, where required by applicable law, we will only process Candidate Data if:

• the processing is necessary for Palantir’s legitimate interests (see below for examples), and does not unduly affect a Candidate’s interests or fundamental rights and freedoms;
• the processing is necessary to perform our contractual obligations towards a Candidate, or to take agreed upon pre-contractual steps, such as preparing documentation for a Candidate following a decision to make an offer of employment or to enter into a contract;
• the processing is necessary to comply with our legal or regulatory obligations;
• the processing is necessary to protect the vital interests of the relevant individual or of another natural person, such as providing disability access to Palantir premises for interviews where applicable;
• the processing is necessary for the performance of a task carried out in the public interest; or
• in some cases, and if requested from Candidates from time to time, we have obtained Candidate prior consent.

Examples of the “legitimate interests” referred to above are:

• to benefit from cost-effective services (e.g. we may opt to use certain IT platforms offered by suppliers);
• to determine whether a Candidate or potential Candidate’s skills and experience are suitable for a role or work within Palantir, and determine whether or not to (i) make an offer of employment with Palantir or contract; or (ii) approach a Candidate with a view to making an offer of employment or contract with Palantir, on this basis;
• at the appropriate stage in the recruitment process (i.e. as part of making an offer of employment or contract), to verify the accuracy of information provided to us as part of an application, including through background screening if and when an offer of employment or contract is made and accepted;
• to prevent fraud or criminal activity, misuse of our products or services, as well as to ensure the security of Palantir IT systems, architecture, networks and premises;
• to otherwise exercise our fundamental rights to property and to operate a business under articles 16 and 17 of the EU’s Charter of Fundamental Rights; and
• to meet our corporate and social responsibility objectives.

To the extent that we process any special categories of personal data relating to Candidates, we will do so because:

• the processing is necessary to carry out our obligations under employment, social security, or social protection law;
• the processing is necessary for the establishment, exercise, or defense of a legal claim;
• the processing is necessary for reasons of substantial public interest; or
• the Candidate has given explicit consent to us to process that information (where legally permissible).

5. How do we protect Candidate Data?

All Palantir personnel accessing Candidate Data must comply with our internal rules and processes in relation to the processing of that data, to protect it and ensure its confidentiality. Palantir personnel are also required to follow the technical and organizational security measures put in place to protect Candidate Data, and we limit access to your personal data to those employees, agent, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

We take your security seriously and take reasonable steps to protect and secure your personal information. We have implemented adequate technical and organizational measures to protect Candidate Data against unauthorized, accidental, or unlawful destruction, loss, alteration, misuse, disclosure, or access and against all other unlawful forms of processing. These security measures have been implemented taking into account the state of the art of the technology, their cost of implementation, the risks presented by the processing, and the nature of the Candidate Data, with particular care for sensitive personal data.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

6. Who has access to Candidate Data and with whom is it shared?

6.1 Within Palantir

We make Candidate Data available to appropriate Palantir personnel to complete the purposes indicated in section 3 above. For example, if you are referred to us by Palantir personnel, we will inform the applicable Palantir personnel who made the referral to inform them whether your application has been successful or not.

6.2 Outside Palantir

We usually also transfer relevant Candidate Data to the following third parties outside Palantir to complete the purposes listed in section 3 above, including:

• third party service providers, such as our recruiting platform provider, our hosting providers, cloud service providers, database providers, vendors who manage online testing as part of the interview process, vendors who facilitate interview travel (including immigration advisors such as lawyers and consultants to support with any travel visas and expenses), and if a Candidate receives and accepts an offer of employment or contract, then also to a third party who carries out pre-employment checks on prospective employees, workers or contractors. Palantir works to ensure that these service providers are contractually obligated to protect Candidate Data;
• any national and/or international regulatory, enforcement or exchange, body or court where we are required to do so by applicable laws or regulations or at their request;
• any central or local government department and other statutory or public bodies, where required by applicable laws or regulations;
• to a buyer or other successor in the event of a merger, acquisition, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of Palantir’s assets, in which Candidate Data is among the assets transferred; and
• any other legitimate recipient of communications required by applicable laws or regulations.

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

6.3 Transfers outside the European economic area

The Candidate Data transferred within or outside Palantir as set out in sections 6.1 and 6.2 above, is in some cases also processed in a country outside the EEA, which covers the EU member states, Iceland, Liechtenstein and Norway. A list of the countries in which Palantir operates (inside and outside the EEA) can be found at: https://www.palantir.com/contact/. Non-EEA countries may not offer the same level of personal data protection as EEA countries.

If Candidate Data is transferred outside the EEA, we will put in place suitable safeguards (such as encrypting communication) to ensure that such transfer is carried out in compliance with applicable data protection laws and regulations. To ensure this level of protection for Candidate Data, Palantir may use a data transfer agreement with the third-party recipient based on standard contractual clauses approved by the European Commission or ensure that the transfer is to a jurisdiction that is the subject of an adequacy decision by the European Commission or to the US under the EU-US Privacy Shield framework or utilize another valid basis for transfer meeting the requirements for appropriate safeguards under the GDPR. Where Palantir transfers Candidate Data to other group companies, we rely on the standard contractual clauses approved by the European Commission. Candidates may request additional information about the relevant safeguards by exercising their rights as set out below.

7. How long do we store Candidate Data?

When applying for a role or work at Palantir, Candidates are asked whether they would like to be contacted about future job opportunities with Palantir, for up to three (3) years. This is voluntary, and Candidates are not required to agree to this. Further, a Candidate’s response to this question will not impact Palantir’s consideration of the Candidate for the position to which he/she is currently applying.

If a Candidate voluntarily indicates that Palantir may contact him/her about future job opportunities, then Palantir will generally retain the Candidate Data in order for the recruitment team to contact the Candidate about potentially suitable job opportunities for up to three (3) years, unless applicable law requires or permits different retention periods. Where Candidate consent is required, the Candidate may revoke his/her consent at any time by informing their recruiter and/or making a request as described in section 8 below.

If a Candidate does not indicate that Palantir may contact him/her about future job opportunities, or if a Candidate revokes his/her consent, then Palantir will retain the Candidate Data for only as long as necessary to fulfill the purpose for which it was collected or to comply with applicable legal, regulatory or internal policy requirements. In general, although there may be limited exceptions, Palantir will keep Candidate Data for the duration of the recruitment process and for unsuccessful Candidates who do not request to be contacted for future job opportunities for 6 months to 1 year, following communication of the decision that the Candidate’s most recent application is unsuccessful. The exact length of time will vary by jurisdiction and individual circumstances. We retain your personal data for that period so that we can show, in the event of a legal claim, that we have conducted the recruitment exercise in a fair and transparent way. Please contact privacy@palantir.com should you wish to receive more detailed information in this respect. Following this period, we will securely destroy your personal data in accordance with applicable laws and regulations. If Candidates wish to have their personal data, including contact information, removed from our databases, they can inform their recruiter and/or make a request as described in section 8 below, which we will review as set out therein.

Data relating to successful Candidates who accept employment with Palantir, is dealt with by the Employee Privacy and Security Statement that will be provided upon joining Palantir.

8. What are candidates’ rights and how can they exercise them?

8.1 Candidates’ rights

Depending on local legal requirements, Candidates may have a number of rights in respect of Candidate Data including rights to access, correction, erasure, object to processing, request the restriction of processing and/or request a transfer of data to a third party. Details of those rights can be found in Palantir’s Privacy and Security Statement here: https://www.palantir.com/privacy-and-security/. Please note that we are currently not able to honor the CCPA rights in respect to Candidates Data, but we continue to update this Candidate Privacy Notice as these rights become available for Candidates under the CCPA.

8.2 Candidates who wish to exercise their rights

To exercise the above rights, eligible Candidates may send an email to data-subject-request@palantir.com.

We will honor such requests, withdrawal or objection as required under applicable data protection rules but these rights are not absolute: they do not always apply and exemptions may be engaged. In response to a request, we may ask you to verify your identity and/or provide information that helps us to better understand your request. If we do not comply with your request, we will explain why.

If an eligible Candidate makes the above request and is not satisfied with Palantir’s response, he or she has the right to make a complaint to the data protection authority in the jurisdiction where the Candidate lives or works, or in the place where the Candidate thinks an issue in relation to his or her personal data has arisen. For the candidates based in the European Union, the contact details of each Data Protection Authority can be found at the following website: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

9. Updates to this privacy notice

This Candidate Privacy Notice was last updated in September 2020. It may be subject to amendments and modification from time to time. Any future changes or additions to the processing of Candidate Data as described in this Candidate Privacy Notice will be communicated to Candidates through an appropriate channel.

10. Data protection officer and accommodation

To communicate with our Data Protection Officer, please email privacy@palantir.com. If you have a disability and would like to receive this Candidate Privacy Notice in an alternate format, please email privacy@palantir.com.