top of page

Applicant Privacy Notice

1. Introduction and Purpose of this Privacy Notice

Enduro Genetics ApS (“we”, “us”, “our”) processes personal data as part of our business. This privacy policy is intended to inform you (the “data subject”) about how we collect, process, and protect your personal data. We are committed to processing your personal data in accordance with applicable data protection law, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the “GDPR”), as well as national legislation. We strive to ensure that your data is processed lawfully, fairly, and transparently.

​

 

2. Data Controller

The data controller responsible for the processing of your personal data is:
Name: Enduro Genetics ApS
Address: Ole Maaløes Vej 3, DK-2200 Copenhagen N
CVR (Company Reg. No.): 40960465
E-mail: info@endurogenetics.com
Phone: +45 93935580
Web: enduro.bio

Enduro Genetics ApS is the data controller, which means we determine the purposes and means of processing your personal data.

  • Joint controllership (if any): Not applicable.

  • EU/EEA representative (if any): Not applicable, as the company is established in the EU.

​

 

3. Categories of Personal Data We Process

We process personal data about several categories of data subjects. Below is an overview of these categories and the types of personal data we typically process for job applicants/candidates:

  • Ordinary personal data: name, contact information (address, e-mail, phone number), CV, application, education, prior experience, photos.

  • Special categories (Article 9): not applicable (as a rule, not processed).

  • Confidential data (Article 10): not applicable (as a rule, not processed).

 

Sources of data collection:
We primarily collect personal data directly from you. Data may also be generated through your interaction with us and our systems (e.g., communications data, website interactions). In some cases, we may receive information from third parties, such as public authorities or recruitment platforms (if relevant).

​

 

4. Purposes and Legal Bases for Processing Personal Data

We process personal data from job applicants for the following purposes:

  • Recruitment and evaluation: To assess your application, qualifications, and suitability for employment, and to carry out interviews and reference checks.

    • Legal bases: GDPR Art. 6(1)(b) (steps prior to entering an employment contract) and Art. 6(1)(f) (legitimate interests in selecting qualified candidates).

  • Compliance with employment and equality legislation: To document a fair and non-discriminatory recruitment process.

    • Legal basis: GDPR Art. 6(1)(c) (legal obligation).

  • Special categories of data (if applicable): If you provide information about health, disability, or other special categories, we process it only where necessary to fulfil employment law obligations or with your explicit consent.

    • Legal bases: GDPR Art. 9(2)(b) and, where relevant, Art. 9(2)(a).

  • Retention after recruitment: To defend against potential legal claims related to the recruitment process.

    • Legal basis: GDPR Art. 6(1)(f) (legitimate interests).

  • Future recruitment (talent pool, only with your consent): If you consent to be considered for future positions, your data will be stored for the period stated in the consent.

    • Legal basis: GDPR Art. 6(1)(a) (consent).

​

 

5. Disclosure of Personal Data to Other Recipients

We regularly disclose personal data to the following categories of recipients (primarily data processors) under data processing agreements:

  • Recruitment system — personal data: name, contact information, CV, application, photos.

  • Professional social media — personal data: name, job title, experience, education, photos, messages, contact information.

 

Transfers to third countries (outside the EU/EEA):
We use various systems and services. As a rule, we aim to ensure that all processing occurs within the EU/EEA to maintain a high level of data protection. In certain cases, transfers to countries or international organizations outside the EU/EEA (“third countries”) may be necessary. Such transfers are carried out in accordance with GDPR Chapter V to ensure that the protection afforded to individuals within the EU is not undermined.

Situations where third-country transfers may occur, and applicable transfer mechanisms include:

  • Cloud-based productivity tools and data management systems: data is generally stored within the EU. Transfers to the USA may occur for support and maintenance. The transfer mechanism is EU-U.S. Data Privacy Framework certification, recognized by the European Commission as providing an adequate level of protection.

  • Professional networking platforms: in some cases, data is processed globally. Transfers outside the EU/EEA are based on the EU Commission’s Standard Contractual Clauses (SCCs) combined with a third-country assessment and any supplementary technical measures to ensure a level of protection essentially equivalent to that within the EU/EEA.

  • Other business systems and services: for most of our other business systems and services (e.g., web hosting, advisory services, and recruitment), processing primarily takes place within the EU/EEA. No regular third-country transfers have been identified for these services.
    You may contact us at any time for further information on the specific transfer mechanisms and safeguards, including how to obtain a copy of the SCCs or other relevant documents.

​

 

6. Storage and Deletion of Personal Data

We retain your personal data for as long as necessary to fulfil the purposes for which it was collected, or for as long as required by applicable law.

For job applicants who are not hired, personal data is deleted six months after the end of the recruitment process, unless you have given specific consent for longer retention (for example, to be considered for future positions).

If you are offered and accept employment with Enduro, your application data will be transferred to your employee file and processed in accordance with Enduro’s Employee Privacy Notice.

Your personal data will be deleted or anonymized when it is no longer necessary for the purposes for which it was collected and processed, and when we are no longer legally obliged to retain it.

​

 

7. Security Measures

We take the protection of your personal data seriously and have implemented a range of technical and organizational measures to ensure an appropriate level of security, including:

  • Access management: access to systems and data is limited on a need-to-know basis and via role-based access control (RBAC). User IDs and complex passwords are used.

  • Authentication: two-factor authentication (2FA) is implemented across critical systems.

  • Encryption: data is encrypted in transit (HTTPS/TLS) and at rest on our processors’ servers where technically possible.

  • Policies and procedures: an overarching IT security policy, employee instructions, and an incident response plan for handling security breaches are in place.

  • Awareness: employees receive continuous information and training in GDPR and proper handling of personal data.

  • Monitoring and follow-up: regular risk assessments and checks of security measures and processors’ compliance with agreements.

  • Data processing agreements (DPAs): concluded with all relevant vendors, specifying processing parameters and ensuring GDPR compliance.

  • Physical security: physical materials are stored securely; our vendors’ data centers are subject to strict physical security measures.

  • Network security: firewalls, IDS/IPS, and antivirus software are used to protect networks and systems.

​

 

8. Your Rights

You have a number of rights under the GDPR, which we respect and will help you exercise. These include the rights of access, rectification, erasure, restriction of processing, data portability, objection, the right not to be subject to automated individual decision-making, the right to withdraw consent, and the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet).

​

Exercising your rights:
If you wish to exercise your rights, please contact us using the details in Section 2 (Data Controller) or our Data Protection Officer (DPO) listed in Section 9. We will process your request as quickly as possible and in accordance with applicable law.


Exceptions:
Please note that exceptions may apply. We will always make a case-by-case assessment of whether a request can be fulfilled.

​

 

9. Data Protection Officer (DPO)

Contact details:
Name: gdprconsult.dk (Contact: Niels Madsen)
Address: Finsensvej 45b, 4th, 2000 Frederiksberg
CVR: 25077830
E-mail: niels@gdprconsult.dk
Phone: +45 91 97 78 77
Web: gdprconsult.dk

​

 

10. Changes to this Privacy Notice

This privacy policy may be updated from time to time. The latest version will always be available on our website (enduro.bio).


Notice of material changes: If we make material changes, we will inform you via our website or by direct notification where appropriate.

​

 

11. Complaints

You have the right to lodge a complaint with the Danish Data Protection Agency if you believe our processing of your personal data violates applicable data protection law.
Danish Data Protection Agency (Datatilsynet)
Address: Carl Jacobsens Vej 35, 2500 Valby
E-mail: dt@datatilsynet.dk
Phone: +45 33 19 32 00
Web: www.datatilsynet.dk

bottom of page