Applicant Privacy Notice

Effective Date: August 2, 2024

This Applicant Privacy Notice (“ Applicant Notice“) explains how Tandem Diabetes Care Inc. and the Tandem legal entities with whom you are applying (collectively, “Tandem”, “we”, “our”, or “us”) collects, uses, stores, discloses and erases (“Processes“) personal information about our recruits and job applicants (“Applicants”), why we Process it and how that Processing may affect you. We respect the privacy rights of individuals and are committed to handling personal information responsibly and in accordance with applicable law.

This notice does not apply to Applicants in California and Canada.

Please read this Notice in full to ensure you are completely informed about how we Process your personal information.

1. Personal information we collect and process when you apply for a position with us
2. How we use your personal information (our purposes) and our legal basis for Processing it
3. Who we share your personal information with
4. How we keep your personal information secure
5. International data transfers

6. Data retention
7. Your data protection rights
8. Updates to this Applicant Notice
9. How to contact us

1. Personal information we collect and process when you apply for a position with us

We collect personal information about you when you apply for a job with us and during the recruitment process. How far you progress in the recruitment process will depend on the level of data that we collect. Your personal information will be collected either directly from you or indirectly from third parties.

Information that you provide directly
We collect personal information directly from you when you choose to provide us with this information online and any subsequent communications between ourselves whether online or offline throughout the recruitment process.
Information from third parties
On occasions, Tandem will use recruiters, who will provide us with your personal information. We also used LinkedIn to advertise roles within Tandem, and we may receive information when you apply for a role on LinkedIn.
Any offer we make will be subject to the receipt of references and other relevant background checks. We will only contact referees whose details you provide to us. We will make it clear to you at the outset of the application process whether checks are undertaken with background checking organisations like the Disclosure and Barring Service.
The table below describes the categories of personal information we collect from and about you through our online application process and on social media.

Personal information description	Source(s)
Contact Information such as your title, name, phone number, home address and personal email address.	Directly from you online
Job Application Information, Professional History, Educational History and Qualifications such as position applied for, previous roles, job description, responsibilities and assignments, years of service, qualifications and experience, compensation and salary data as volunteered by the candidate, eligibility for and participation in benefit schemes and other information contained in your CV.	Directly from you online
Results of Reference Checks and Screenings such as verification of education and employment history.	Third parties
Background Check Information, such as disbarment and other searches relevant to the role for which you are applying. The sharing of this information will only be requested at the end of the final stage of the recruitment process, once the offer has been made and the applicant has accepted.	Third parties
Nationality, Citizenship and Right to Work Information such as country of birth, government identification documents (including passports and residency permits) and, where relevant, visa information.	Directly from you online and offline
Interview Information such as comments and notes made by interviewers or other Tandem employees in connection with your application.	Directly from you offline and from others involve in the interview process
Any other data provided by you in the course of the application process such as electronic communications with you in relation to the application process.	Directly from you online
Equal Opportunity Information such as information relating to your gender, race, ethnicity, and disability.	Directly from you online

The provision of your contact information, work history and education is necessary for processing your application. The provision of your right to work and background check information is necessary to demonstrate your right to work in the country in which you are applying for a job, and that you have the appropriate background to undertake the role that you are applying for.

2. How we use your personal information (our purposes) and our legal basis for Processing it

We use the personal information that we collect from and about you only for the purposes described in this Applicant Notice. Depending on our purpose for collecting your information, we rely on one of the following legal bases, in so far as required by applicable data protection law:

Contract – we require certain personal information in order to take steps prior to entering into an employment contract with you;
Consent – in certain circumstances, we may ask for your consent (separately from any contract between us) before we collect, use, or disclose your personal information, in which case you can voluntarily choose to give or deny your consent without any negative consequences to you;
Legitimate interests – we may use or disclose your personal information for the legitimate business interests of Tandem, but only where we are confident that your privacy rights will remain appropriately protected and in a way which is reasonable for you to expect as part of the running of our organisation, and which does not materially affect your rights and freedoms. If we rely on our legitimate interests in relation to your personal information, these interests will normally be to manage job applications and offers for positions with Tandem; communicate with Applicants; and review and improve our application and recruitment process; or
Legal obligation – there may be instances where we must Process and retain your personal information to comply with laws or to fulfil certain legal obligations, including in response to lawful requests by public authorities (such as for tax, immigration, health and safety, national security or law enforcement purposes); or to establish, exercise or defend against potential, threatened or actual legal claims.

The following table provides more details on our purposes for Processing your personal information. The legal basis under which your personal information is Processed will depend on the data concerned and the specific context in which we collect it.

We collect and use your personal information primarily for recruitment purposes – in particular, to determine your qualifications for employment and to reach a hiring decision. This includes assessing your skills, qualifications and background for a particular role, verifying your information, carrying out reference checks or background checks (where applicable) and to generally manage the hiring process and communicate with you about it.

Category of personal information	How we use it (purposes)
Contact Information such as your title, name, phone number, home address and personal e-mail address.	We use this information to open and maintain applicant records. We use this information to communicate with you as part of the recruitment process. We use this information to conduct identity and background checks with respect to your education and employment history upon offer acceptance.
Job Application Information, Professional History, Educational History and Qualifications such as position applied for, previous roles, job description, responsibilities and assignments, years of service, qualifications and experience, compensation and salary data as volunteer by the candidate, eligibility for and participation in benefit schemes and other information contained in your CV.	We use this information to process and assess your application, including assessing your suitability for a role. We use this information to calculate proposed compensation and assessing eligibility for certain benefits. We use this information to monitor and improve our application and recruitment processes.
Results of Reference Checks and Screenings such as verification of education and employment history.	We use this information to process and assess your application, including assessing your suitability for a role. We use this information to fulfil our obligations under applicable law, regulations, legal processes or enforceable government requests.
Background Check Information, such as criminal records checks, disbarment and other searches relevant to the role for which you are applying. The sharing of this information will only be requested at the end of the final stage of the recruitment process, once the offer has been made and the applicant has accepted will they be asked for their “criminal record certificate."	We use this information to verify your suitability for a role, where the nature of the role requires additional background checks (e.g., disbarment).
Nationality, Citizenship and Right to Work Information such as country of birth, government identification documents (including passports and residency permits) and, where relevant, visa information.	We use this information to determine your eligibility to work upon accepted offer. We use this information to fulfil our obligations to relevant government authorities.
Interview Information such as comments and notes made by interviewers or other Tandem employees in connection with your application.	We use this information to process and assess your application, including assessing your suitability for a role. We use this information to calculate proposed compensation and assess eligibility for certain benefits. We use this information to monitor and improve our application and recruitment processes.
Any other data provided by you in the course of the application process including electronic communications with you in relation to the application process.	We use this information to process and assess your application, including assessing your suitability for a role. We use this information to respond to your enquiries and to monitor and improve our application and recruitment processes.
Equal Opportunity Information such as information relating to your gender, race, ethnicity, disability and veteran status on a voluntary basis only.	We will anonymize this information where possible. We will aggregate this information to understand, monitor and improve our application and recruitment processes in line with our diversity and inclusion strategy.

As a general rule, during the recruitment process, we try not to collect or process any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs or trade union membership; genetic data; biometric data for the purposes of unique identification; or information concerning your health/sex life; as well as, for the purposes of the Swiss Data Protection Act, data on administrative or criminal proceedings and sanctions, data on social security measures and data on the intimate sphere in general ("Sensitive Personal Information"), unless authorized by law or where necessary to comply with applicable laws.

In some circumstances, we may need to collect, or request on a voluntary disclosure basis, some Sensitive Personal Information for legitimate recruitment related purposes, for example, information about your racial/ethnic origin, gender and disabilities for the purposes of equal opportunities monitoring, to comply with anti-discrimination laws and for government reporting obligations; or information about your physical or mental condition to consider accommodations for the recruitment process and/or subsequent job role. You may provide, on a voluntary basis, other Sensitive Personal Information during the recruitment process.

3. Who we share your personal information with

We may make certain personal information available to third parties who provide services relating to the recruitment process to us, including:

recruitment or executive search agencies involved in our recruitment process;
companies that provide services for reference checks and screenings and background checks;
data storage, shared services and recruitment platform providers, IT developers and support providers and providers of hosting services in relation to our job vacancies website page; and
third parties who provide support and advice including in relation to legal, financial / audit, management consultancy, insurance, health and safety, security and intel and whistleblowing / reporting issues.

4. How we keep your personal information secure

We use appropriate administrative, technical, physical and organisational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing. Specific measures we use include managerial measures, including establishment and implementation of internal management plan and periodic training for employees; technical measures, including controlling access rights to personal information processing systems and encryption of important data; and physical measures, including external security and management of system servers. While we implement security measures designed to be appropriate to the relevant risks, please note no data transmission over the Internet or any wireless network can be guaranteed as being 100% secure.

5. International data transfers

As we operate internationally, in some cases, where your personal information is transferred to another Tandem company, it is processed in countries other than the country in which you are resident, including in the United States, where Tandem is headquartered. This means that when we collect your personal information, we will process it in any of these countries, potentially in any country in the world. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Where we transfer your personal information to countries and territories outside of the European Economic Area, the UK and Switzerland which have been formally recognised as providing an adequate level of protection for personal information, we rely on the relevant "adequacy decisions" from the European Commission, the "adequacy regulations" (data bridges) from the Secretary of State in the UK, and the adequacy assessment from the Swiss Federal Council, as applicable (together referred to as "EEA/Swiss/UK adequacy decisions").

Some EEA/Swiss/UK adequacy decisions require Tandem to take steps in order for relevant transfers to be covered, in particular for transfers to the U.S. under the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF ("UK Extension"), and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce.

Tandem's US entities (Tandem Diabetes Care, Inc. and Sugarmate, Inc.) have certified to the U.S. Department of Commerce that they adhere to:

the EU-U.S. Data Privacy Framework Principles ("EU-U.S. DPF Principles") with regard to the processing of personal information received from the EEA in reliance on the EU-U.S. DPF and from the UK in reliance on the UK Extension to the EU-U.S. DPF; and
the Swiss-U.S. Data Privacy Framework Principles ("Swiss-U.S. DPF Principles") with regard to the processing of personal information received from Switzerland in reliance on the Swiss-U.S. DPF.

To learn more about the Data Privacy Framework ("DPF") and to view our certification, see here. It is important however for us to provide you with the following information about our certification:

We will only rely on the UK Extension and the Swiss-U.S. DPF as transfer mechanisms under the applicable data protection laws, once respectively (i) the adequacy regulations implementing the data bridge for the UK Extension; and/or (ii) the Swiss Federal Council's recognition of adequacy of the Swiss-U.S. DPF, enter into force.
We are responsible for the processing of personal information received under each DPF and, subsequently, transfers to a third party acting on our behalf. We comply with the DPF Principles for all onward transfers of personal information we receive in reliance on the EU-U.S. / Swiss-U.S. DPF Principles and/or the UK Extension, including the onward transfer liability provisions. In particular, where we have received your personal information in the U.S. in reliance upon the EU-U.S. / Swiss-U.S. DPF Principles and/or the UK Extension, if we subsequently transfer that information to a third party acting on our behalf, and that third party processes your personal information in a manner inconsistent with the Principles, we will remain liable unless we can prove we are not responsible for the event giving rise to the damage.
With respect to personal information received or transferred pursuant to each of the DPFs, Tandem is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you want to contact us with any inquiries or complaints regarding our reliance on the DPFs, you can email us at privacy@tandemdiabetes.com or please see the How to Contact Us section at the end of this Privacy Notice;
If you have an unresolved privacy concern that we have not addressed satisfactorily, you can contact the individual panel established by the EU DPAs and, as applicable, the UK Information Commissioner's Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and/or the Swiss Federal Data Protection and Information Commissioner (FDPIC) free of charge to make a complaint. Tandem commits to cooperate and comply with the advice of this panel. Under certain conditions, more fully described on the DPF website you may also invoke binding arbitration when other dispute resolution procedures have been exhausted.

Where the transfer is not subject to an adequacy decision or regulations, we take appropriate safeguards to require your personal information will remain protected. The safeguards we use under GDPR, include the European Commission's Standard Contractual Clauses ("SCCs") as issued on 4 June 2021, in the form of modules 1 (controller to controller), module 2 (controller to processor), module 3 (processor to processor) and/or module 4 (processor to controller), as appropriate depending on our relationship with the recipient(s). We incorporate the UK's International Data Transfer Addendum to the EU Commission SCCs as permitted under Article 46 of the UK GDPR, when transferring personal information protected under UK GDPR and the Swiss Addendum to the SCCs as provided by the FDPIC in its statement of 27 August 2021.

Our SCCs can be provided on request. Please note some sensitive commercial information may be redacted. In exceptional circumstances, personal information may also be transferred to countries that are not subject to an adequacy decision or regulations on the basis of a derogation. A derogation may apply, for example, in case of legal proceedings abroad, if transfer is necessary for the performance of a contract, if you have consented to the transfer, or if the data has been made generally available by you and you have not objected to the processing.

For details of what personal information may be transferred to Tandem group entities or third parties, please see the Disclosing Your Information section of this Notice above.

6. Data Retention

We will store your personal information for no longer than is necessary for the performance of our obligations or to achieve the purposes for which the information was collected, or as may be required or permitted under applicable law. To determine the appropriate retention period, we will consider the amount, nature, and sensitivity of the data; the potential risk of harm from unauthorized use or disclosure of the data; the purposes for which we process the data and whether we can achieve those purposes through other means; and the applicable legal requirements. Unless otherwise required by applicable law, at the end of the retention period we will remove personal information from our systems and records or take appropriate steps to properly anonymize, deidentify, or aggregate it, where legally applicable.

If your application is successful and you become an employee, where permitted by local law the personal data we collect during the application process may be transferred to your personnel file and stored in accordance with our Employee Privacy Policy, which will be made available to you at the start of your employment.

7. Your data protection rights

Please note, we do not currently use your personal information for automated decision making which produces legal effects concerning you or similarly significantly affects you.

The GDPR and UK GDPR provide EEA and UK residents with certain rights regarding their personal information. If you are a resident of the EEA or the UK, subject to certain conditions, you may ask us to take the following actions in relation to your personal information:

Provide you with information about our processing of your personal information and give you access to your personal information.
Update or correct inaccuracies in your personal information.
Delete your personal information.
Transfer a machine-readable copy of your personal information to you or an external party of your choice.
Restrict the processing of your personal information.
Object to our processing of your personal information including for direct marketing purposes.
Obtain information about and object to our reliance on legitimate interests as the basis for processing of your personal information.
Withdraw your consent for processing personal information where applicable.

Under the Swiss Data Protection Act you have similar rights, subject to certain restrictions defined by law that we are entitled or even required to apply (e.g., to protect third party interests).

If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us at DPO@tandemdiabetes.com or you have the right to submit a complaint to a data protection regulator. EEA residents can find information about your data protection regulator here. The data protection regulator for residents of the UK is the Information Commissioner’s Office. The data protection regulator for residents in Switzerland is the Federal Data Protection and Information Commissioner

You can submit requests by email to DPO@tandemdiabetes.com. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us at DPO@tandemdiabetes.com or submit a complaint to a data protection regulator. EEA residents can find information about your data protection regulator here. The data protection regulator for residents of the United Kingdom is the Information Commissioner’s Office. The data protection regulator for residents in Switzerland is the Federal Data Protection and Information Commissioner

8. Updates to this Applicant Notice

We may update this Applicant Notice from time to time. You can see when this Applicant Notice was last updated by checking the "Last Updated" date displayed at the top of this Applicant Notice. You will be informed, via relevant means, of any material changes to this Privacy Notice. Any changes to this Privacy Notice take effect immediately after being posted or otherwise provided by Tandem.

9. How to contact us

Please note that you may reach out to your line manager in the first instance if you have any question regarding data protection.

You can also contact us as follows:

Either contact Tandem directly at privacy@tandemdiabetes.com; or Tandem’s EEA and UK Data Protection Officer (DPO) at:

Fieldfisher LLP
Attn: Data Privacy
Riverbank House
2 Swan Lane
London
EC4R 3TT

Email: DPO@tandemdiabetes.com