Effective Date: January 1, 2023
Palo Alto Networks is committed to protecting the privacy and security of your personal data. This Global Candidate Privacy Notice (“Candidate Privacy Notice”) describes how Palo Alto Networks, Inc. and its subsidiaries and affiliated entities (collectively, "Palo Alto Networks," "we," or "us") collect and process personal data about you during the application and recruitment process. This Candidate Privacy Notice applies to job applicants only, but supplements and should be read together with the Palo Alto Networks Privacy Notice which applies to all personal data collected on our website(s).
This Candidate Privacy Notice describes the categories of personal data that we collect, how we use your personal data, how we secure your personal data, when we may disclose your personal data to third parties, and when we may transfer your personal data outside of your home jurisdiction. This Candidate Privacy Notice also describes your rights regarding the personal data that we hold about you and how you can request access to, correction of, object to or restrict processing of, portable copies of, and erasure of your personal data.
We will only process your personal data as described in this Candidate Privacy Notice unless otherwise permitted or required by applicable law. We take steps to ensure that the personal data that we collect about you is adequate, relevant, not excessive, and processed for limited purposes.
Depending on your jurisdiction, there may be certain rights applicable to you for which we may provide separate notice informing you of your rights and how to adequately exercise them.
For purposes of this Candidate Privacy Notice, personal data means any information about an identifiable individual or household collected in connection with the application and recruitment process. Palo Alto Networks may collect personal data directly from you, as a job applicant, or may receive personal data from third parties, for example, via forms you submit to us on our website or job application portal in connection with a background, employment, or reference check, subject to your consent where required by law. We may collect, store, and process the following categories of personal data in connection with our recruiting and interview process:
The provision of full and complete information in support of a job application is necessary for selection purposes. Failure to provide any of the data may affect the processing of your application.
We only process your personal data as described in this Candidate Privacy Notice or as otherwise required or permitted by applicable law in connection with carrying out our application and recruitment process. We may process your personal data for the following legitimate business purposes:
We will store the personal data we collect about you for no longer than necessary for the purposes set out above and in accordance with our legal obligations and legitimate business interests. In addition to using your personal data for the position for which you have applied, we may retain and use your personal data to inform you about and consider you for other positions that may be of interest to you. If you do not want us to consider you for other positions or would like us to remove your personal data, you may contact us at firstname.lastname@example.org. We will only process your personal data for the purposes for which we collected it unless otherwise required by applicable law. If we need to process your personal data for an unrelated purpose, we will provide notice to you and, if required by law, seek your consent. We may process your personal data without your knowledge or consent where required by applicable law, regulation, or court order.
The following categories of personal data may be considered sensitive under the laws of your jurisdiction and may receive special protection:
We may collect and process the following categories of sensitive personal data when you voluntarily provide them or we receive them from a third party with your consent, when relevant for a particular position and as permitted by applicable law:
Where we have a legitimate need to process your sensitive personal data for purposes not identified above, we will only do so only after providing you with notice and, if required by law, obtaining your consent.
We will only disclose your personal data to third parties where required by law or to our employees, contractors, designated agents, or third-party service providers who require such information to assist us with administering the application and recruitment process, including third-party service providers who provide services to us or on our behalf. We may use third-party service providers for various purposes, including, but not limited to, obtaining employment verification and background checks. These third-party service providers may be located outside of the country in which you live or the country where the position you have applied for is located.
We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us. We only permit them to process your personal data for specified purposes in accordance with our instructions.
We may also disclose your personal data for the following additional purposes, where permitted or required by applicable law:
We may combine information that we receive from the various sources described in this Candidate Privacy Notice, including third party sources and public sources, and use or disclose it for the purposes set forth herein.
Where not prohibited by applicable law, we may transfer the personal data we collect about you to jurisdictions outside your home country, but in accordance with applicable legal requirements (if any) for the purposes set out in this Candidate Privacy Notice. To the extent required by applicable law, we have implemented data transfer agreements/obtained consent to secure the transfer of your personal data to other jurisdictions outside your home country that may not be deemed to provide the same level of protection as your home country.
If you are based in the UK, Switzerland, or the European Economic Area (EEA), please note that, where necessary, your personal data may be processed by other Palo Alto Networks entities and service providers outside the UK, Switzerland, and EEA, such as the United States of America. These international transfers of your personal data will be made pursuant to appropriate safeguards, such as standard data protection clauses adopted by the European Commission. If you wish to enquire further about these safeguards used, you may contact us at email@example.com.
We have implemented appropriate physical, technical, and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure. In addition, we limit access to personal data to those employees, agents, contractors, and other third parties that have a legitimate business need for such access and are bound to a contractual and/or professional duty of confidentiality. All personal data we collect will be stored on secure servers. When we transfer personal data to others, we will ensure that the recipients also implement appropriate technical and organizational security measures to protect your personal data.
We will only retain your personal data for as long as reasonably necessary to fulfill the purposes for which we collected it and will honor your exercise of data subject rights, subject to any limitations or exclusions recognized by applicable law. To determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, subject to applicable legal, regulatory, tax, accounting, reporting, or other requirements or when retention is necessary to resolve a pending legal dispute.
In cases where we have no ongoing legitimate business need to process your personal data, we will either delete your personal data or, if this is not possible (e.g., because your personal data has been stored in backup archives), we will securely store your personal data and isolate it further from any further processing until deletion is possible.
If you are offered and accept employment with Palo Alto Networks, the personal data we collected during the application and recruitment process will become part of your employment record and we may use it in connection with your employment consistent with our employee personal data use and privacy policies. If you do not become an employee, or, once you are no longer an employee of Palo Alto Networks, we will retain and securely destroy your personal data in accordance with our retention policy and any applicable laws and regulations.
We use a combination of legitimate interests, performance of a contract (including the intention to enter into a contract) and/or consent as the legal bases to process the personal data that you share with us as part of the application and recruitment process.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during the application and recruitment process. By law, you may have the right to request access to, correct, or erase the personal data that we hold about you, object to or restrict our processing of your personal data, or request the portability of your personal data, under certain circumstances. If you wish to exercise any of these rights, please contact us at firstname.lastname@example.org. Depending on the jurisdiction where you are located, some of these rights may not apply.
We may request specific information from you to help us confirm your identity, verify your rights, and respond to your request, including to provide you with the personal data that we may hold about you. Please note that applicable law may allow or require us to deny your request or there may be cases where we may have already destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot respond to your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
We are not required to obtain additional consent for most of the processing activities that we undertake in respect of the personal data you have submitted to us. We may, however, seek your consent for some uses of personal data. If we need your consent, we will notify you of the personal data we intend to use and how we intend to use it.
You will never be obligated to provide us with your consent. Where you have provided your consent to the collection, processing, and transfer of your personal data, you may have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, if applicable, contact us at email@example.com.
We have appointed a data protection officer to oversee compliance with this Candidate Privacy Notice. If you have any questions about this Candidate Privacy Notice or how we handle your personal data, or you would like to make a request relating to your personal data, please contact the data protection officer at: firstname.lastname@example.org. If you are unsatisfied with our response to any issues that you raise with the data protection officer, you may have the right to make a complaint with the applicable data protection authority in your jurisdiction.
We reserve the right to update this Candidate Privacy Notice at any time and we will provide you with access to any new Candidate Privacy Notice when we make any material updates. If we would like to use your previously collected personal data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent before using your personal data for a new or unrelated purpose. We may process your personal data without your knowledge or consent where required by applicable law, regulation, or court order.
If you have any questions about our processing of your personal data or would like to make an access or other request, please contact us at: email@example.com.
Effective Date: January 1, 2023
This California Rights Addendum (the “Addendum”) supplements Palo Alto Networks’ (“we”, “us”, and “our”) Global Candidate Privacy Notice and supports compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CPRA”), and this Addendum solely applies to you if you are a covered person who resides in the State of California in the United States of America.
In the event of a conflict between the terms of this Addendum and the rest of the Global Candidate Privacy Notice, this Addendum shall take precedence for California residents. Capitalized terms not defined herein shall have the meanings set forth in the California Consumer Privacy Act (“CPRA”).
For purposes of this Addendum, the term “personal information” includes “sensitive personal information” such as social security number, driver license number, state identification card, passport number, financial data, genetic data, biometric data, precise geolocation, and racial and ethnic origin, content of consumer communications (email, mail, or text) unless the business is the intended recipient, genetic data, and information collected concerning a consumer’s health, sex life, or sexual orientation.commission or alleged commission of crime or related proceedings, and/or financial information. Any terms used but not defined herein have the meanings assigned to them under the CPRA.
In any event, under the CPRA, personal information (including sensitive personal information) generally does not include (i) publicly available information from government or other publicly available records, (ii) de-identified or aggregated information, or (iii) any other information excluded under applicable law.
As of January 1, 2023, the CPRA provides California residents (referred to as “you” herein) with specific rights regarding their personal information, subject to certain legal limitations and exceptions. The existing and new rights available to California job applicants include the following:
If we receive a request from a job applicant to exercise one of the above rights, we will be required to honor the request within 45 days (which may be extended for up to an additional 45 days under certain circumstances), unless an exception applies.
This section sets forth the categories of “personal information” (as such terms are defined under the CPRA) that we may collect about you when you inquire about and/or apply for employment at Palo Alto Networks.
In particular, we have collected the following categories of personal information in the preceding twelve (12) months from one or more job candidates for the purposes identified below:
1. Personal Information
|Personal Information Category
(including name or alias, home address, telephone number, or email address)
|Used to process and manage interactions and transactions with job applicants, service providers, contractors, and third parties; provide and perform marketing and support; maintain security of personnel and company and employee property and facilities; perform human resource functions and employment training; fulfill legal obligations of the company; and manage employment and administer benefits.
|California Customer Records Statute
(including signature, education, employment history, bank account number, or any other financial information, medical information, or health insurance information, etc.)
Note: Some personal Information included in this category may overlap with other categories.
|Used to implement diversity and inclusion programs and to comply with applicable laws; perform human resource functions, including hiring and interviewing job candidates; and manage employment and administer benefits and payroll.
|Protected classification characteristics under California or federal law
(such as race, national origin, religion, gender, age, sexual orientation, medical conditions, citizenship, disability, military or veteran status, request for family and medical care leave, and request for pregnancy disability leave)
|Used to implement and improve our diversity and inclusion programs and to comply with applicable laws, such as the reporting requirements of the Federal Equal Employment Opportunity Act; to perform human resource functions; and manage employment and administer benefits, reasonable accommodations, and leaves of absence.
(such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)
|Used to process and manage interactions and transactions with customers, service providers, contractors, and third parties; and provide and perform products and services and related marketing and support.
(such as voice recordings or keystrokes)
|Used to conduct research for the purpose of reviewing and improving products and services and associated marketing and customer support; and to conduct employment-related training.
|Internet or other similar network activity
(such as browsing or search history)
|Used to protect the Company, customer, and employee property, equipment, and confidential information; monitor employee performance; and enforce the Company's electronic communications acceptable use and code of conduct policies; manage internal investigations and whistleblower programs; and enforce the company’s legal rights.
(such as the location of company-issued laptops, mobile phones, device location)
|Used to protect the Company, customer, and employee property, equipment, and confidential information; monitor employee performance; and enforce the Company's electronic communications acceptable use and code of conduct policies; manage internal investigations; and exercise the company’s legal rights.
(such as audio, electric, visual, thermal, olfactory, or similar information)
|Used to protect the Company, customer, and employee property, equipment, and confidential information; enforce the Company's electronic communications acceptable use and code of conduct policies; manage internal investigations; and exercise the company’s legal rights.
|Professional or employment-related information
(such as work history, prior employer, human resources data, and data necessary for administering benefits and related administrative services)
|Used to establish, manage, or terminate the employment relationship or manage the post-employment relationship, administer health and Workers’ Compensation insurance programs; and comply with applicable laws.
|Non-public education information
(such as Non-publicly available educational information as defined under the Family Educational Rights and Privacy Act (FERPA) and related regulations, such as a grade point average, report card, and school transcript)
|Used to the extent that educational information is relevant to interviewing and hiring qualifications for employees, interns, and contractors and as may be necessary for a tuition reimbursement program.
|Inferences drawn from other personal information
(when used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes)
|To administer, provide access to, monitor, and secure our information technology systems, websites, applications, databases, and devices; to comply with legal and regulatory obligations.
2. Sensitive Personal Information
We do not collect or process sensitive personal information or characteristics of protected classifications for the purpose of inferring characteristics about job applicants.
We do not sell (as that term is defined under the California Privacy Rights Act (CPRA)) your personal information to third parties. This means that we do not sell, rent, share, or otherwise disclose your personal information to third parties in exchange for monetary or other valuable consideration.
We may share your personal information by disclosing it to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the personal information confidential, and prohibit using the disclosed information for any purpose except performing the contract.
During the past 12 months, we have disclosed for our business purposes the categories of personal information listed above to the following categories of third parties: