BridgeBio EEA, CH and UK Candidate Privacy Notice

What does this notice cover?

BridgeBio Pharma, Inc., a company with its registered office at 3160 Porter Drive, Palo Alto, CA 94304, USA, along with its affiliates and subsidiaries worldwide (collectively, “BridgeBio”, “we,” “us,” or “our”), is committed to handling personal data responsibly and in accordance with applicable law. This Candidate Privacy Notice (“Notice”) explains our data collection and processing practices in the context of our employment opportunities in the European Economic Area, Switzerland, and the United Kingdom. This Notice does not apply to BridgeBio’s processing of candidate information in any other region or country. It also describes your data protection rights, including a right to object to some of the processing that we carry out. More information about your rights, and how to exercise them, is set out in the "How can you exercise Your rights" section.

Please note that this Notice applies only to our processing of your personal data as a candidate for an employment opportunity with BridgeBio. It does not cover your use of our websites as a consumer or investor, participation in any of our research or clinical trials, or any permanent employment with us.

Who is the data controller for your data?

The information in this notice explains the way that all BridgeBio companies process candidate data. The data controller for your data will be the BridgeBio company that you have applied to.

What information do we collect from job applicants?

When we consider you for opportunities at BridgeBio, we collect and use these types of data:

  • Personal Identification Information: Your name, contact information (such as address, phone number, email address), gender, picture, government issues identification numbers, and any other information you provide (such as information on your resume or cover letter);
  • Information about your nationality, entitlement to work in any given country (work permit and visa information), family status and situation, military or civil service information, desired salary, location preferences, and other job preferences;
  • Information we obtained during the application process: information relating to experience, education, and right to work/permits checks, your curriculum vitae (resume), qualifications, skills, referrals and references, and employment history, terms and conditions of our employment agreement and other agreements;
  • Information that you make publicly available in connection with your application, such as contact information, your education, and work experience information (e.g., when you share information via job search and career networking sites as far as it is relevant to consider you for career opportunities and in accordance with your privacy settings on those services);
  • Interview details, and outcomes of any recruiting exercises you complete;
  • Information collected about you as a result of any in-person interview, including but not limited to any CCTV footage or any information collected in visitor logs and as a result of visitor badge access;
  • If you're being referred, information that the person referring you provides about you;
  • We also sometimes receive information such as your education and work experience, contact information, and demographics, from third-party data providers who have the right to provide us with your information. These partners collect your information from publicly available sources, or through third parties with whom they work;
  • Any information that applicable local laws require us to collect in connection with the recruiting process; and
  • If disclosed, special categories of personal data, for example, information about your health, special needs, disabilities or other information where we need to make any reasonable adjustments or related to accommodations that you may request during the recruiting process; equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, and health and religion or belief.

We collect most of this information from you directly. For example, data is collected through application forms and resumes; obtained from your passport or other identity documents; from forms completed by you; from correspondence with you; or through interviews, meetings, or other forms and assessments.

Where authorized, we also collect some information about you from other people or organizations: we collect your personal identification information and application information from your references, including previous employers, and from our background screening provider during the pre-employment screening process, where applicable.

Lastly, we collect information from our systems and solutions, including email, intranet, and any other information technology system or solution you access during your interview process. In addition, we may collect personal information through closed circuit video monitoring, badging systems, and other security tools, when applicable.

How do we use this information, and what is our legal basis?

We must have a legal basis to process your data. We explain each of these legal bases below. We also set out the purposes for which we process your data.

We use the information we collect from and about you:

  • Consistent with specific consents that you may provide (if applicable), and which you may revoke at any time.
    • We use your consent in the submittal of your application, including any resume or other documentation that you provide, to determine your suitability as a candidate for any job openings and during the interview and pre-employment period;
    • As necessary to perform pre-employment background checks. For more information, please see below; and
    • For example, with your consent, we use your data to contact you about future career opportunities at BridgeBio. This includes storing your data and keeping it up to date and using it to contact you.
  • As necessary to comply with our legal obligations: for example, local laws may require us to submit reports about our recruiting processes and outcomes
  • As necessary for our (or others’) legitimate interests, including our interests in:
    • assessing your suitability for a particular role or roles;
    • facilitating the recruiting and interview process, including processing necessary for travel and booking purposes;
    • verifying the information you or others provide about your application;
    • presenting you with an offer of employment if your application is successful; and
    • managing and improving our application and interview process and performing management reporting and analysis related to recruiting metrics and success factors.

unless those interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

More information about background checks

For certain positions, it will be necessary for us to verify the details you have supplied (for example, in relation to your identity, employment history, academic qualification and professional credentials) and to conduct pre-employment background checks (for example, in relation to previous criminal convictions or financial standing). The level of checks will depend on your role, in particular if you will occupy a regulated role, and will be conducted at as late a stage as is practicable in the recruitment process and often only after you have been selected for the position. If your application is successful and we deem a background check is necessary, we will provide further information about the checks involved and will obtain any necessary consent prior to completing such checks.

How do we share this information?

We share job applicant information for some limited purposes as follows:

  • Within the BridgeBio family of companies – We may share your information among the different BridgeBio entities if your application is relevant to roles across the entities or to collaborate on candidate and employment activities and goals.
  • With service providers and vendors – These are entities that help us manage and improve the recruiting process and who perform services on our behalf, such as recruitment providers, interview and assessment providers, interview travel booking and expense providers, relocation entities, immigration advisors, reporting and analytics services, and pre-employment screening services. These entities are required to protect the information we share with them with appropriate organizational and technical safeguards and to use such information as necessary to provide services to us.
  • With regulators and other governmental entities – We may access, preserve, and share your information with regulators, law enforcement, or others in response to a valid legal request if we have a good-faith belief that the law required us to do so; or we conclude that such sharing is necessary to detect, prevent, and address fraud, unauthorized use of our systems, prevent violations of our terms, or protect our rights or the rights of others.
  • If we merge with another organization or form a new entity, your personal data may be transferred to that new entity.

How do we operate and transfer data as part of our global business?

As a global company headquartered in the United States, we share data globally, both internally within the BridgeBio family of companies, and externally with our service providers. When we transfer your personal data to other countries, we take steps to ensure your personal data is adequately protected, using transfer mechanisms such as EU-approved standard clauses. Where cross-border data transfers occur, we ensure that an adequate level of data protection exists in the recipient country, by executing with third parties, including our affiliates, appropriate contractual arrangements for cross-border data transfers to third-party countries for controllers or processors as applicable. For transfers governed by UK and EU GDPR, these- measures will include transfers based on adequacy decisions, EU standard contractual clauses (SCCs), the UK international data transfer agreements, and addendum to the EU SCCs supplemented by any supplementary measures as may be required.

How do we protect your personal information?

We have implemented a variety of technological and organizational procedures and measures to protect your personal information from unauthorized access, use, and disclosure. However, please note that no method of Internet transmission can be completely secure. As such, we cannot guarantee absolute security of your Personal information. Please take steps to protect yourself, such as using and protecting your unique login credentials and passwords, utilizing encryption, and using anti-virus solutions.

How long do we retain your personal information?

We will retain personal information we collect from job applicants for as long as necessary for the purposes described in this Notice, as required to comply with our legal obligations, to resolve disputes, and to enforce our contractual agreements.

If you're successful in your application for a position at BridgeBio, we retain the information you provide during the application process as part of your employee records. If you are not successful, we will retain your personal data with your permission for three (3) years so we can keep you in mind for future recruitment processes; otherwise, it will be deleted following closure of the application process.

To determine the appropriate retention period for your personal information, we will consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we use your personal information, and whether we can achieve those purposes through other means, and the applicable legal requirements. For further information in relation to our retention periods please contact us at dataprivacy@bridgebio.com at any time.

Anonymous/De-identified information.

In accordance with applicable legal requirements, we may anonymize/de-identify personal information collected from and about you so that it can no longer be linked to you or your device. Information that has been anonymized/de-identified in such a way is no longer subject to this Notice and can be used and shared by us at our discretion and maintained indefinitely.

Automated individual decision-making.

We do not engage in solely automated individual decision-making, including profiling, which produces legal effects or similarly significantly affects you. If BridgeBio should in the future engage in solely automated individual decision-making, including profiling, which produces legal or similarly significantly effects, you will be informed separately and BridgeBio will only do so, if

  • it is necessary for entering into, or performance of, a contract between you and BridgeBio;
  • we are authorized by applicable law which lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  • it is based on your voluntary explicit consent.

How can You exercise Your rights?

BridgeBio respects the rights of individuals, and as such we will honor such requests in accordance with applicable laws and regulations, subject to applicable exceptions and adequate verification of your identity.

  • Right to access: You have the right to obtain confirmation as to whether or not your personal information is being processed and, where applicable, to obtain a copy of your personal information undergoing processing, as well as information about notably the purposes, categories, recipients, retention periods, and sources of your personal information.
  • Right to rectification: You have the right to request the correction of any inaccurate or incomplete personal information that we hold about you.
  • Right to erasure: You have the right to request the deletion of your personal information that we no longer need for the purposes for which they were collected, or that we process unlawfully or without your consent. We will erase your personal information, unless we have a legal obligation or a legitimate interest in keeping them.
  • Right to restriction on processing: You have the right to request the limitation of the processing of your personal information in certain situations, such as when you contest the accuracy of your data, when the processing is unlawful but you oppose the erasure, when we no longer need your data but you require them for a legal claim, or when you object to the processing based on our legitimate interests.
  • Right to object to processing: You have the right to object to the processing of your personal information based on our legitimate interests, or for direct marketing purposes. We will stop the processing of your data as soon as possible, unless we have overriding legitimate grounds to continue the processing.
  • Right to portability: You have the right to receive a copy of your personal information that we process based on your consent or a contract, in a structured, commonly used, and machine-readable format. You also have the right to request that we transfer your data to another controller, where technically feasible.
  • Right to withdraw your consent: Where we rely on your consent for the processing of your personal information, you have the right to withdraw your consent for that specific processing at any time and for the future.
  • Right to lodge a complaint before a data protection authority: You have the right to lodge a complaint with a supervisory authority if you believe that we have violated your data protection rights, available here.

How to contact us with questions or data privacy requests?

If you have any questions about the processing of your personal information or wish to exercise any of your data privacy rights above mentioned, you can contact us at dataprivacy@bridgebio.com or send a mail to:

Attn: Legal Department
c/o BridgeBio Pharma, Inc.
Suite 250, 3160 Porter Drive
Palo Alto, CA 94304 (USA)

We will provide information on action taken on your request within one month. This period may be extended where necessary, and we shall inform you of any such extension within one month of receipt of your request together with the reasons for the delay.

How to contact the Data Protection Officer?

BridgeBio has appointed Bird & Bird DPO Services SRL as a Data Protection Officer (DPO) for the EEA and the UK and may be reached:

  • by using the following email: DPO.BridgeBio@twobirds.com
  • by mail at the following address:

    Bird & Bird DPO Services SRL
    Avenue Louise 235 b 1
    1050 Brussels, Belgium

How can you learn about changes to this Notice?

We may change this Notice from time to time. If we make changes to the Notice that are material, we will provide you with notice in accordance with applicable legal requirements.