Privacy Notice to Employment Candidates, Employees and Ex-Employees

This privacy notice explains why Himalaya collects information about you (employment candidates, employees and ex-employees), and how that information may be used.

As a data controller, Himalaya has fair processing responsibilities under the GDPR. This means ensuring that your personal data is handled in ways that are safe, transparent and what you would reasonably expect. According to the GDPR, it is important that data subjects are made aware of, and understand the way their personal data is processed, their rights as data subjects and the means to exercise them.

Types of Information We Collect/Process

Prospective Candidates:

Himalaya receives CVs of candidates when they apply for job openings on third-party job portals. Personal data such as name, surname, photograph, phone number, email address, employment history, educational details, and other personal data will be collected through the CVs. We may also collect personal data during our interviews. We may also request for additional personal details such as National ID, and address information from selected hires for the purpose of preparing employment contracts.


Himalaya collects, processes and stores the following personal data attributes from employees as part of its employment contracts: Name, Surname, ID code or other identity proof number in the respected country, Registered address, Bank account details, phone number, Health Check document, and if applicable work permit. Himalaya also creates personal data attributes such as Employee code and email ID.


In adherence to labor laws, Himalaya is required to retain several documents containing personal details in the employee wise personnel files. Following are the personal data attributes that are processed as part of this activity: Contract and contract attachments, Maternity Leave application, Vacation application, Unpaid leave application, other paid leave application, Employee recognition letter, Employee resignation, Obligatory Health check document.

Why We Collect/Process Your Personal Data

Following are the data processing activities carried out at Himalaya along with the legal basis and purpose for the same:

How long will the data be retained?

Prospective candidates:

We have defined a retention period of 12 months for your CVs. Post that, we will delete all CVs.

Employees and Ex-Employees:

We will retain your personal data in line with the requirements of your respective jurisdiction's labor laws.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the GDPR and other applicable regulations. All of Our staff receives appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorized staff has access to personal data both electronic as well as physical where it is appropriate to their role and is strictly on a need-to-know basis. Himalaya has also implemented a range of internal controls that provide structure to how data is stored, managed, transmitted and ultimately destroyed.

Who do we share your personal data with?

Prospective candidates:

Your personal data will be shared internally with our Hiring managers (Inside EU), GM -Europe (inside EU), concerned team (where the position is open), and HR-GM (Based out of UAE) for the purpose of recruitment.


Your personal data will be shared with the following categories of third parties:

  • Payroll processing vendors for computation of monthly salaries
  • Tax authorities for filing taxes Insurance agencies


We will share your personal data with your current employer when you send us a request to port your personal data to your current employer or recruiter.

Data Subject Rights

The table below illustrates the various data subject rights that are applicable for each category of data subject along with the means to exercise them.

Data Processing Activity Legal Basis and purpose
Collecting and processing CVs of prospective candidates. Legitimate interests: For recruiting the right candidate.
Collecting and storing additional personal data over emails from selected hires. Processing is necessary in order to get into a contract with Data subject: For preparing employment contracts.
Collecting, storing and transferring (to other teams such as IT, Admin, Finance, etc.) personal data at the time of on-boarding. Processing is necessary for the performance of a contract:x For the purpose of creating access cards, IT assets, email ID, employee ID and salary remittance which are line with clauses of employment contract
Collecting and storing medical reports. These medical reports will only provide us with details on whether or not an employee's health condition is appropriate to work. Compliance with Legal obligation: Required as per labor laws.
Processing and transferring employee personal data, timesheet/attendance data with third party payroll processers Processing is necessary for the performance of a contract: For computation of monthly salaries which are in line with clauses of employment contract
Processing and transferring employee data with tax and legal authorities Compliance with Legal obligation: Required as per local tax systems/laws
Collecting and processing personal data for HR program management (eg. performance management, learning and development) Processing is necessary for the performance of a contract: In line with clauses of employment contract
Collecting, processing, storing and transferring personal data (to internal functions for exit process, tax authorities, legal bodies) of exiting employees for Exit management Compliance with Legal obligations: Transferring data to Tax authorities and legal bodies.
Processing is necessary for the performance of a contract: Rest of the processing activities
Retaining documents containing personal data in personnel files for personnel case management Compliance with Legal obligation: Required as per labor laws.



Data Subject Applicable Data Subject Rights Means to Exercise
Prospective Candidates Right to access;
Right to update;
Right to delete.
By contacting our Data Protection team.E:
Employees Right to access;
Right to update/rectify;
By contacting your local HR or by logging onto Success Factors
Ex-Employees Right to access;
Right to data portability;
By contacting our Data Protection team.
For data portability, we would require the email ID of your current employer/ recruiter.

Your Right to Complain

If you have a complaint about our use of your information, we would prefer you to contact us directly in the first instance, so that we can address your complaint. If you have any specific data protection concerns or a complaint, you can address it to our Privacy team at We hope that we will be able to resolve any concerns you may have. However, you have the right to make a complaint at any time to a Supervisory Authority, in particular to the member state of your place of work or place of alleged infringement.

Updates to this Privacy Notice

We regularly review and, if appropriate, update this Privacy Notice from time to time, and as our services and use of personal data evolves. If we want to make use of your personal data in a way that we haven't previously identified, we will contact you to provide information about this and, if necessary, to ask for your consent.