Revise GitHub Candidate Privacy Policy and update title (#58827)
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com> Co-authored-by: Kevin Xu <khxu@github.com> Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
This commit is contained in:
Dani Brooks
@@ -1,5 +1,6 @@
|
||||
---
|
||||
title: GitHub Candidate Privacy Policy
|
||||
title: GitHub Global Data Privacy Notice for Candidates
|
||||
allowTitleToDifferFromFilename: true
|
||||
versions:
|
||||
fpt: '*'
|
||||
topics:
|
||||
@@ -9,69 +10,320 @@ redirect_from:
|
||||
- /github/site-policy/github-candidate-privacy-policy
|
||||
---
|
||||
|
||||
Effective Date: March 8, 2021
|
||||
**GitHub Global Data Privacy Notice for Candidates**
|
||||
|
||||
This GitHub Candidate Privacy Policy explains what information we collect about you during the application or recruitment process for employment with GitHub, as well as the purposes for which we collect and use that information.
|
||||
Last Updated: December 2025
|
||||
|
||||
For the purposes of this policy:
|
||||
**Table of Contents**
|
||||
|
||||
“Candidate” includes applicants and candidates who are part of the GitHub application or recruitment process; and
|
||||
[Overview](#overview)
|
||||
|
||||
"Candidate Personal Information" refers to any information we collect about one of our Candidates during the application or recruitment process which could, alone or together with other information, personally identify them or otherwise be reasonably linked or connected with them.
|
||||
[Personal Data that We Process](#personal-data-that-we-process)
|
||||
|
||||
This policy does not apply to the use of GitHub services, which are covered under our [GitHub Privacy Statement](/site-policy/privacy-policies/github-privacy-statement).
|
||||
[Why We Process Personal Data](#why-we-process-personal-data)
|
||||
|
||||
## What Candidate Personal Information do we collect?
|
||||
[Change of Purpose](#change-of-purpose)
|
||||
|
||||
The Candidate Personal Information we collect, use, and maintain (or “process”) can include the following, but is not limited to:
|
||||
[How and Why We Disclose Personal Data](#how-and-why-we-disclose-personal-data)
|
||||
|
||||
**Identification and contact information**, including your name, email address, phone number, location, GitHub profile, and any other information you provide (such as referrals and references).
|
||||
[Your Rights to Your Personal Data](#your-rights-to-your-personal-data)
|
||||
|
||||
**National identifiers**, such as your citizenship status, residency and work permit status.
|
||||
[Use of Cookies and Web Beacons](#use-of-cookies-and-web-beacons)
|
||||
|
||||
**Employment and education history**, such as your resume or CV, cover letter, details of how you heard about the position you are applying for, information about any previous employment at GitHub or affiliates of GitHub, or other information you provide to us in support of an application and/or the application and recruitment process.
|
||||
[Security of Your Personal Data](#security-of-your-personal-data)
|
||||
|
||||
**Professional or employment information**, including your desired salary or terms related to benefits, willingness to relocate, other job preferences, interview details, reference information and/or information received from background checks (where applicable), and information from publicly available resources (such as your LinkedIn profile or website).
|
||||
[Where We Store and Process Personal Data](#where-we-store-and-process-personal-data)
|
||||
|
||||
**Sensitive or demographic information**, such as your gender, medical or health information, veteran status, or your racial or ethnic origin.
|
||||
[Our Retention of Personal Data](#our-retention-of-personal-data)
|
||||
|
||||
## How do we use the Candidate Personal Information we collect?
|
||||
[Changes to this Privacy Notice](#changes-to-this-privacy-notice)
|
||||
|
||||
We use the Candidate Personal Information for the following purposes:
|
||||
* To assess your skills, qualifications and interests for employment opportunities with GitHub;
|
||||
* To verify the information provided by you or others, including checking your references;
|
||||
* To communicate with you about your application and the recruitment process, including informing you of other potential employment opportunities at GitHub;
|
||||
* If you were referred, to inform the referrer of the status of your application;
|
||||
* If you are offered a position, to prepare your offer letter and conduct a background check (to the extent permitted by applicable law);
|
||||
* If you are offered a position and where requested by you, to assist you with obtaining an immigration visa or work permit;
|
||||
* To comply with local laws, regulations, legal processes or enforceable government requests; and
|
||||
* To prepare and submit reports as required under local laws and regulations;
|
||||
* To manage and improve our application and recruitment process (such as making the application process more efficient and improving our diversity practices).
|
||||
[How to Contact Us](#how-to-contact-us)
|
||||
|
||||
## How do we share your Candidate Personal Information?
|
||||
[Addenda](#addenda)
|
||||
|
||||
GitHub will share your Candidate Personal Information with those who have a legitimate business need for it. Whenever we permit a third party to access your Candidate Personal Information, we will make sure the information is used in a manner consistent with this policy. Your Candidate Personal Information may be shared with our affiliates (such as Microsoft) and other third parties (such as vendors) for the following purposes:
|
||||
1. In order to carry out the uses of Candidate Personal Information described above;
|
||||
1. To enable third parties to provide products or services to us or on our behalf (such as to facilitate the application process or conduct background checks).
|
||||
1. To comply with our legal obligations, regulations or contracts, or to respond to a court order, administrative or judicial process (such as subpoena, government audit or search warrant) or, in response to lawful requests by public authorities (such as national security or law enforcement);
|
||||
1. As necessary to establish, exercise, or defend against potential or pending litigation;
|
||||
1. Where necessary to protect GitHub, your vital interests (such as safety and security), or those of another person; or
|
||||
1. With your consent (such to contact your references). It is your responsibility to obtain consent from references before providing their personal information to GitHub.
|
||||
[California Addendum](#california-addendum)
|
||||
|
||||
## Your rights to your Candidate Personal Information
|
||||
[Canada Addendum](#canada-addendum)
|
||||
|
||||
In some locations, Candidates may have certain rights under applicable local privacy laws (such as the European General Data Protection Regulation). However, regardless of your location, we provide the same high standard of privacy protection to all of our Candidates around the world.
|
||||
[European Union (EU) and United Kingdom (UK)](#european-union-eu-and-united-kingdom-uk)
|
||||
|
||||
This includes the rights to request access or correct your information, request that your information be deleted, or object to or restrict GitHub from using it for certain purposes.
|
||||
## Overview
|
||||
|
||||
You can make a request to do so by contacting privacy@github.com. We will respond to all requests in accordance with applicable data protection laws.
|
||||
Your privacy is important to GitHub (“we”, “us”, “our” or “GitHub”). We respect the privacy rights of all individuals and we are committed to handling personal data responsibly and in accordance with applicable laws. This privacy notice, together with the Addenda and other notices we may provide to you at the time of data collection, explain what personal data GitHub processes about you, how we use this personal data, and your rights to this personal data.
|
||||
|
||||
## How long do we retain your Candidate Personal Information?
|
||||
Please note that this privacy notice applies to the handling of your personal data as a candidate.
|
||||
|
||||
Candidate Personal Information will be stored for one year after your application to comply with our legal obligations. After that time, we will contact you and ask for your consent to continue to retain your personal information so that we can consider you for any future job opportunities at GitHub.
|
||||
This notice does not cover your use of GitHub consumer products as a consumer, or outside of your candidacy with GitHub. GitHub consumer products may include services, websites, apps, software, servers, and devices. To learn more about GitHub’s data collection practices that cover your use of GitHub products as a consumer, please read our [GitHub Privacy Statement](https://site-policy/privacy-policies/github-general-privacy-statement).
|
||||
|
||||
If you are hired for a position at GitHub, we will retain the information provided during the application and recruitment process as part of your employee record.
|
||||
This notice is not intended and shall not be read to create any express or implied promise or contract for employment, for any benefit, or for specific treatment in specific situations. Nothing in this notice should be construed to interfere with GitHub’s ability to process candidate data for purposes of complying with our legal obligations, or for investigating alleged misconduct or violations of company policy or law, subject to compliance with local legal requirements.
|
||||
|
||||
## Changes to this Policy
|
||||
GitHub's processing of personal data is in all cases subject to the requirements of applicable local law, internal policy, and where applicable or appropriate, any consultation requirements with worker representatives. To the extent this notice conflicts with local law in your jurisdictions, local law controls.
|
||||
|
||||
We may occasionally update this GitHub Candidate Privacy Policy. When we do make changes to this page, we will update the "last updated" date.
|
||||
### Personal Data that We Process
|
||||
(This may include data that you provide to us, that we collect or generate about you, or that we assign to you.)
|
||||
|
||||
We collect, use, and store (collectively “process”) different types of personal data about you in the operation of our business. If you are a candidate, the type of personal data we process is generally limited to what we need to engage with you about GitHub career opportunities, consideration of your application for employment to specific roles at GitHub, including candidate screening, interview scheduling and management, lawful background screening, and to on-board you at GitHub if you receive and accept an offer of employment with us.
|
||||
|
||||
The personal data we process can include, but is not limited to, the following:
|
||||
|
||||
**Name and contact data**. Your first and last name, employee identification number, email address, mailing address, phone number, photo, beneficiary and emergency contact details, and other similar contact data. Additionally, you may opt to provide GitHub with additional contact information such as personal email address(es) and/or cell phone number(s).
|
||||
|
||||
**Demographic data**. Your date of birth and gender as well as more sensitive personal data (also known as special category data) including information relating to racial and ethnic origin, religious, political or philosophical beliefs, trade union membership or information about your health, disabilities, sexual orientation, gender identity, and transgender status. We may also ask about your parental status and military status.
|
||||
|
||||
**National identifiers**. Your national ID/passport, citizenship status, residency and work permit status, social security number, or other taxpayer/government identification number.
|
||||
|
||||
**Employment details**. Your job title/position, account credentials, office location and/or remote working location, employment contract, offer letter, hire date, termination date, performance history and disciplinary records, hours worked, badge activity information, training records, leave of absence, sick time, and vacation/holiday records.
|
||||
|
||||
**Spouse’s/partner’s and dependents’ information**. Your spouse and dependents’ first and last names, dates of birth, and contact details.
|
||||
|
||||
**Background information**. Your academic and professional qualifications, education, CV/Resume, credit history and criminal records data.
|
||||
|
||||
**Video, voice and image**. We may collect and use your video, voice and image data, subject to the requirements of local law, internal policy, and any consultation requirements with worker representatives (where appropriate).
|
||||
|
||||
**Financial information**. Your bank account details, tax information, salary, retirement account information, company allowances and other information necessary to administer payroll, taxes, benefits, and equity and incentive compensation.
|
||||
|
||||
**Inferences**. Inferences to create a profile reflecting your personal characteristics (such as work history and experience), abilities, and aptitudes.
|
||||
|
||||
**Sources of Personal Data**
|
||||
|
||||
In addition to collecting personal data from you (directly or indirectly), we obtain personal data about you from data sources other than you, including:
|
||||
|
||||
* Inference data that we generate or derive about you from personal data we process about you.
|
||||
* References provided by or about you, including from former and current employers.
|
||||
* Third parties or public sources (e.g. information from public professional networking sources, such as your LinkedIn profile, for recruitment purposes).
|
||||
* Our vendors and other providers, such as when we conduct lawful background screenings, to the extent permitted by law, through a third-party vendor who provides us information about your past education, employment, credit and/or criminal history.
|
||||
|
||||
### Why We Process Personal Data
|
||||
|
||||
We collect and process your personal data for the purposes set out below, which may include but are not limited to the following. Failure to provide your personal data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations.
|
||||
|
||||
**Recruitment and Hiring**. For our recruitment and hiring purposes, including engaging with you concerning job opportunities at GitHub, considering your application for employment to specific roles, candidate screening, interview scheduling and management, lawful vetting and background screening, and preparing an offer letter.
|
||||
|
||||
**Payroll, Compensation, and Accounting**. For our payroll and compensation activities, including tax reporting, administering equity and incentive compensation, administering Rewards, expense reimbursement, and other accounting tasks.
|
||||
|
||||
**Benefits Registration**. For activities related to benefits registration.
|
||||
|
||||
**Career Planning and Development**. For activities related to career planning and development, including assessing and providing your GitHub career opportunities.
|
||||
|
||||
**Equal Opportunity Assessment and Accommodations**. To manage and assess our equal employment opportunity, diversity, inclusion and accessibility programs, including monitoring and ensuring equal treatment and opportunity, providing work-related accommodations or adjustments, and for our global equal opportunity initiatives.
|
||||
|
||||
**Legal and Policy Compliance Administration and Enforcement**. To administer and enforce our legal and policy compliance programs and requirements, including fulfilling our obligations under our contracts, government clearances, and applicable GitHub policies; maintaining required records; collection or disclosure of personal data under judicial authorization (e.g. a court order, administrative or judicial process, or other lawful request by a public authority, in the U.S. or a foreign jurisdiction); performing lawful background screenings; for complying with laws and regulations (e.g. for minimum wage, working time, tax, health and safety, anti-discrimination laws, government reporting obligations, global migration, whistleblowing procedures, and data subject rights); and investigating potential violations of, exercising, or defending GitHub’s legal rights (including seeking legal advice, combatting fraud, and protecting the life and safety of employees and others).
|
||||
|
||||
**Scientific Research**. For activities related to scientific research, including research viewed in the public interest and research attempting to contribute to generalizable knowledge, subject to appropriate technical and organizational controls (e.g. data anonymization and aggregation, adhering to our privacy standards, and conducting ethics and compliance reviews).
|
||||
|
||||
**Personalization**. For personalization activities such as to understand your preferences to enhance your candidate experience, including storing and honoring your preferences and settings and enabling you to sign-in or otherwise access and use our Systems and assets.
|
||||
|
||||
**AI and Automated Decisions**. As GitHub enables AI supported experiences in its products, your personal data may also be processed by AI to facilitate certain features and experiences deployed on the GitHub tenant – including AI features such as chatbot features, summarization features, and the like. Where permissible, artificial intelligence (AI) and machine learning (ML) technologies may also be used to process your data for the business purposes described in this section. GitHub’s processing of your data will comply with its commitment to responsible AI. We may also use automated decision-making systems to identify trends and outages and monitor and secure our Systems and data, to provide chatbots and other interactive services, and monitor compliance with our policies and procedures.
|
||||
|
||||
**General Business Operations**. For our general business operations, including general management of the business, implementing and managing our business applications and systems, and facilitating communications and collaboration.
|
||||
|
||||
We may combine data from different sources for the above purposes.
|
||||
|
||||
Use of personal data for the above purposes, such as general business operations, may include AI-supported experiences deployed on the GitHub tenant, including AI features such as chatbot and summarization features. Processing involving these experiences will comply with GitHub’s commitment to responsible AI.
|
||||
|
||||
We may also process personal data for other legitimate business purposes as permitted under applicable law as necessary to manage our business relationship with you.
|
||||
|
||||
Where required by law, we will seek your consent for the above uses; and where your consent is sought, we will ensure your consent is informed, voluntary, and that you suffer no adverse consequence from any decision to withhold or revoke your consent.
|
||||
|
||||
### Change of Purpose
|
||||
|
||||
We will use your personal data only for the purposes for which it was collected, unless we reasonably need it for another compatible purpose and there is a legal basis for further processing. For example, relying upon our legitimate interest in recruiting candidates for roles at GitHub, we may process the personal data you provided while researching job openings. However, once you apply for and are successful in obtaining a role, we may process your personal data for the purpose of entering into an employment relationship with you.
|
||||
|
||||
### How and Why We Disclose Personal Data
|
||||
|
||||
GitHub will only disclose your personal data with those who have a legitimate business need for it. Whenever we disclose your personal data, we will ensure the personal data is used in a manner consistent with this privacy notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the personal data). Your personal data may be disclosed to our subsidiaries and affiliates and other third parties, including service providers, for the following legitimate purposes:
|
||||
|
||||
* To carry out the purposes of our personal data processing as described above (see section titled: “Why We Process Personal Data”);
|
||||
* To enable third parties to provide services on behalf of GitHub;
|
||||
* To comply with our legal obligations, regulations, government clearances, or contracts, or to respond to data subject rights, a court order, administrative or judicial process, such as a subpoena, government audit or search warrant. Categories of recipients would include counterparties to contracts, judicial and governmental bodies;
|
||||
* In response to lawful requests by public authorities (such as regulatory bodies, law enforcement authorities, and national security organizations);
|
||||
* To seek legal advice from external lawyers and advice from other external professionals such as accountants, management consultants, etc.;
|
||||
* As necessary to establish, exercise or defend against potential, threatened or actual litigation;
|
||||
* Where necessary to protect GitHub, your vital interests, such as safety and security, or the vital interests of other persons; or
|
||||
* Otherwise in accordance with your consent.
|
||||
|
||||
Please note that where legal requirements limit the disclosure of your personal data, GitHub will respect such requirements.
|
||||
|
||||
### Your Rights to Your Personal Data
|
||||
|
||||
In some regions, you may have certain rights under applicable data protection laws (such as the European Union and United Kingdom General Data Protection Regulation). Please see the [Addenda](#addenda) to this notice for additional information by region/country.
|
||||
|
||||
### Use of Cookies and Web Beacons
|
||||
|
||||
Site pages may use cookies (small text files placed on your device) and similar technologies. These cookies and similar technologies allow us to store and honor your preferences and settings; enable you to sign-in; combat fraud; and analyze how our websites and online services are performing.
|
||||
|
||||
We also use “web beacons” to help deliver cookies and gather usage and performance data. Our websites may include web beacons, and cookies, or similar technologies from third-party service providers.
|
||||
|
||||
You have a variety of tools to control the data collected by cookies, web beacons and similar technologies. For example, you can use controls in your internet browser to limit how the websites you visit are able to use cookies and to withdraw your consent by clearing or blocking cookies.
|
||||
|
||||
### Security of Your Personal Data
|
||||
|
||||
GitHub is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. For example, we store the personal data you provide on limited access computer servers that are located in controlled facilities, and we protect certain highly confidential or sensitive personal data through encryption in transfer and at rest.
|
||||
|
||||
### Where We Store and Process Personal Data
|
||||
|
||||
GitHub operates globally and therefore personal data may need to be transferred to countries outside of where the personal data was originally collected. For example, because we are headquartered in the United States, personal data collected in other countries is routinely transferred to the United States for processing. We transfer personal data from the European Economic Area and the United Kingdom to other countries, some of which have not yet been determined by the European Commission to have an adequate level of data protection. For example, their laws may not guarantee you the same rights, or there may not be a privacy supervisory authority there that is capable of addressing your complaints. When we engage in such transfers, we use a variety of legal mechanisms, including contracts such as the standard contractual clauses published by the European Commission under Commission Implementing Decision 2021/914, to help protect your rights and enable these protections to travel with your data. To learn more about the European Commission’s decisions on the adequacy of the protection of personal data in the countries where GitHub processes personal data, see this article on the [European Commission website](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en). We may also transfer personal data when (i) you have consented to disclosure abroad; (ii) it is necessary for the conclusion or performance of a contract; (iii) it is necessary to safeguard an overriding public interest or to establish, exercise, or enforce legal rights; (iv) it is necessary to protect the life or the physical integrity of you or another person, and it is not possible to obtain your consent within a reasonable time; (v) you have made the data generally accessible and have not explicitly prohibited processing; or (vi) the data originates from a statutory register to which we have legitimate access.
|
||||
|
||||
GitHub complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. GitHub has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. In the context of an onward transfer, GitHub has responsibility for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on our behalf. GitHub remains liable under the DPF if our agent processes such personal information in a manner inconsistent with the DPF, unless GitHub can prove that we are not responsible for the event giving rise to the damage. If there is any conflict between the terms in this privacy statement and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the [U.S. Department of Commerce’s Data Privacy Framework website](https://www.dataprivacyframework.gov/).
|
||||
|
||||
If you have a question or complaint related to participation by GitHub in the DPF Frameworks, we encourage you to contact us via email [dpo@github.com](mailto:dpo@github.com). For any complaints related to the DPF Frameworks that GitHub cannot resolve directly, we have chosen to cooperate with the relevant EU Data Protection Authority, or a panel established by the European data protection authorities, for resolving disputes with EU individuals and the UK Information Commissioner (for UK individuals). Please contact us if you’d like us to direct you to your data protection authority contacts. As further explained in the DPF Principles, binding arbitration is available to address residual complaints not resolved by other means. GitHub is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
|
||||
|
||||
### Our Retention of Personal Data
|
||||
|
||||
We will store personal data in accordance with applicable laws or regulatory requirements and retain data for as long as necessary to fulfill the purposes for which the personal data was collected, as documented in our corporate data retention schedule.
|
||||
|
||||
### Changes to this Privacy Notice
|
||||
|
||||
We may occasionally update this privacy notice. When we do, we will revise the "last updated" date at the top of the privacy notice. We encourage you to periodically review this privacy notice to learn how GitHub protects your personal data.
|
||||
|
||||
### How to Contact Us
|
||||
|
||||
If you have a privacy concern or question related to this privacy notice, please contact dpo@github.com.
|
||||
|
||||
Our addresses are:
|
||||
|
||||
GitHub B.V. Prins Bernhardplein 200, Amsterdam 1097JB The Netherlands
|
||||
|
||||
GitHub, Inc. 88 Colin P. Kelly Jr. St. San Francisco, CA 94107 United States
|
||||
|
||||
## Addenda
|
||||
|
||||
### California Addendum
|
||||
|
||||
Last Updated: June 2025
|
||||
|
||||
California: Your Rights
|
||||
|
||||
If you are a candidate that resides in California, this section applies to you and supplements the information shared in the privacy notice.
|
||||
|
||||
California residents have specific rights regarding their personal information under the California Consumer Privacy Act of 2020 (as amended) (“CCPA”). This section describes your rights and explains how to exercise those rights. Please note that in the preceding twelve (12) months, we have not sold your personal information or shared such information for cross context behavioral advertising. We may disclose certain personal information, such as your first and last name, email address, and other similar contact data, and inferences with our subsidiaries and affiliates and other third parties, including service providers who provide services on behalf of GitHub.
|
||||
|
||||
* You have a right to receive this notice of our Personal Information collection, use, retention, and disclosure practices at or before collection of Personal Information.
|
||||
* You may request notice of and access to certain information about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable request, we may disclose to you:
|
||||
* The categories of personal information we collected about you.
|
||||
* The categories of sources for the personal information we collected about you.
|
||||
* Our business or commercial purpose for collecting that personal information.
|
||||
* The categories of third parties with whom we disclosed that personal information.
|
||||
* The specific pieces of personal information we collected about you (also called a data portability request).
|
||||
* If we disclosed your personal information for a business purpose, a list of disclosures identifying the personal information categories that each category of recipient obtained.
|
||||
* You may request that we correct personal information about you that is inaccurate.
|
||||
* You may request that we delete your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, we will delete or de-identify (and direct our service providers to delete or de-identify) your personal information from our records, unless an exception applies.
|
||||
* We do not “sell” or “share” personal information and have not done so in the past 12 months.
|
||||
* We do not use or disclose Sensitive Personal Information for purposes of inferring individual characteristics or for additional purposes.
|
||||
|
||||
None of these rights are absolute and there may be circumstances in which we are required or permitted under applicable law not to address your request.
|
||||
|
||||
Only you or an authorized agent that you authorize to act on your behalf may make a verifiable request to access, correct, or delete your personal information.
|
||||
|
||||
Any verifiable request (including those to delete data) must:
|
||||
|
||||
* Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative (such as by requiring you to provide a signed written authorization that the agent is authorized to make a request on your behalf).
|
||||
* Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
|
||||
|
||||
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable request does not require you to create an account with us.
|
||||
|
||||
We will not penalize you for exercising any of your rights where prohibited by law.
|
||||
|
||||
You may exercise your rights under the CCPA through one of the following means:
|
||||
|
||||
* Submitting a request to [dpo@github.com](mailto:dpo@github.com)
|
||||
|
||||
### Canada Addendum
|
||||
|
||||
Last updated: October 2023
|
||||
|
||||
The following additional provisions apply to candidates in Canada.
|
||||
|
||||
Manner of Collection
|
||||
|
||||
We collect personal data that you provide directly to us (such as through the job application process) as well as information devices provide to us automatically, as described above. We may also collect personal data indirectly with consent. For example, we collect background verification information from third-party background screening providers and we may also obtain personal data from recruitment agencies or job references. Please see the section titled “Personal Data that We Process” for more information about personal data we collect.
|
||||
|
||||
Transfer of Personal Data
|
||||
|
||||
We and our service providers (including affiliates) may access, store and otherwise process personal data outside of your province (including, for Quebec residents, outside of Quebec), including in other parts of Canada, the United States, and other foreign jurisdictions where we or our service providers are located. We, our affiliates and our service providers may disclose your personal data if we are required or permitted by applicable law or legal process, which may include lawful access by foreign courts, law enforcement or other government authorities in the jurisdictions in which we or our service providers operate.
|
||||
|
||||
Retention
|
||||
|
||||
We will process and keep your personal data for as long as is necessary to meet the purposes for which the information was collected as set out in this policy and to meet our legal or business requirements, as documented in our corporate data retention schedule.
|
||||
|
||||
Your Rights
|
||||
|
||||
Subject to limited exceptions under applicable law, you have the right to access, update, rectify and correct inaccuracies in your personal data in our custody and control and withdraw your consent to our collection, use and disclosure of your personal data (although an employee cannot withdraw consent to the collection of personal data necessary to administer their employment). You may request access, updates, rectification, and corrections of inaccuracies in your personal data in our custody or control or withdraw your consent by emailing [dpo@github.com](mailto:dpo@github.com). We may require certain personal data for the purpose of verifying your identity or the identity of the individual making the request.
|
||||
|
||||
How to Contact Us
|
||||
|
||||
If you have any questions or comments about this privacy notice or the manner in which we or our service providers (including our service providers outside Canada) treat your personal data, or to request access to or correction of your personal data, or to withdraw your consent, please contact us by emailing [dpo@github.com](mailto:dpo@github.com).
|
||||
|
||||
### European Union (EU) and United Kingdom (UK)
|
||||
|
||||
Last updated: June 2025
|
||||
|
||||
European Union and United Kingdom: Your Data Subject Rights
|
||||
|
||||
In addition to the information shared in the privacy notice, EU and UK candidates (including individuals in the EU and UK, or in some circumstances individuals who normally reside in the EU and UK who are abroad) may have certain rights under applicable data protection laws, including the EU and UK General Data Protection Regulation (collectively, the “GDPR”) and local laws implementing or supplementing the GDPR, including the rights to:
|
||||
|
||||
* Request access to and obtain a copy of your personal data;
|
||||
* Request rectification (or correction) of inaccurate personal data you have provided;
|
||||
* Request erasure (or deletion) of personal data that is no longer necessary to fulfill the purposes for which it was collected, or does not need to be retained by GitHub for other legitimate purposes;
|
||||
* Restrict or object to the processing of your personal data; and
|
||||
* If applicable, request your personal data be ported (transferred) to another company.
|
||||
|
||||
Please note that certain conditions, exceptions apply to these rights and that application of the above rights may vary depending on the type of personal data involved, and GitHub’s particular basis for processing the personal data.
|
||||
|
||||
To make a request to exercise one of the above rights, please contact dpo@github.com by email or by letter to one of the following address:
|
||||
|
||||
GitHub B.V. Prins Bernhardplein 200, Amsterdam 1097JB The Netherlands
|
||||
|
||||
GitHub, Inc. 88 Colin P. Kelly Jr. St. San Francisco, CA 94107 United States
|
||||
|
||||
We will consider and act upon any requests in accordance with applicable data protection laws. Please note that we may request certain information from you to enable us to confirm your identity. We may, in limited circumstances, charge you a reasonable fee for administrative costs in relation to responding to your request; however, we will advise you of any fee in advance.
|
||||
|
||||
If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before withdrawal of consent.
|
||||
|
||||
EU and UK candidates (including individuals in the EU and UK, or individuals who normally reside in the EU and UK who are abroad) may also direct questions about how we handle personal data to our Data Protection Officer by emailing [dpo@github.com](mailto:dpo@github.com).
|
||||
|
||||
While we hope we can answer any questions that you may have, if you have unresolved concerns, you also have the right to complain to a relevant data protection supervisory authority in the EU and UK.
|
||||
|
||||
For candidates, the controller of your personal data is the GitHub entity to which you have applied for a role. GitHub is also a controller of certain personal data of the above-mentioned data subjects. Any privacy-related queries for your data controller should be directed to dpo@github.com or by letter to one of the following address:
|
||||
|
||||
GitHub B.V. Prins Bernhardplein 200, Amsterdam 1097JB The Netherlands
|
||||
|
||||
GitHub, Inc. 88 Colin P. Kelly Jr. St. San Francisco, CA 94107 United States
|
||||
|
||||
In addition, the contact information of the controller of your data is provided in your contract or job application.
|
||||
|
||||
For EU and UK candidates (including individuals working in the EU and UK, or individuals in the EU and UK who are abroad), we rely on different lawful bases for collecting and processing personal data about you (as described in the DPN), for example, as necessary to operate our business, meet our contractual and legal obligations, protect the security of our systems and our data, or fulfil other legitimate interests. These lawful bases include the following (or as otherwise communicated to from time to time):
|
||||
|
||||
Performance of a Contract:
|
||||
|
||||
* Management of the Employment or Working Relationship
|
||||
* Payroll, Compensation, and Accounting
|
||||
* Benefits Registration and Administration
|
||||
|
||||
Protect a Vital Interest:
|
||||
|
||||
* Emergency Notifications
|
||||
|
||||
Performance of a Task Carried out in the Public Interest:
|
||||
|
||||
* Scientific Research
|
||||
|
||||
Compliance with a Legal Obligation:
|
||||
|
||||
* Equal Opportunity Assessment and Accommodations
|
||||
* Legal and Policy Compliance Administration and Enforcement
|
||||
* Corporate Transactions
|
||||
|
||||
For our Legitimate Interest:
|
||||
|
||||
* Recruitment and Hiring
|
||||
* Career Planning and Development
|
||||
* General HR Administration
|
||||
* Equal Opportunity Assessment and Accommodations
|
||||
* Legal and Policy Compliance Administration and Enforcement
|
||||
* Personalization
|
||||
* Automated Decisions
|
||||
* General Business Operations
|
||||
|
||||
Where we process your Personal Data based on legitimate interests, you can object to this processing in certain circumstances. In such cases, we will cease processing your personal data unless we have compelling legitimate grounds to continue processing or where it is needed for legal reasons.
|
||||
|
||||
Reference in New Issue
Block a user