HCLTech Candidate Data Privacy Notice
Effective Date: September 22nd, 2025
INTRODUCTION
HCLTech is committed to protecting and securing the privacy and confidentiality of the Personal Data it processes about you when applying for a job at HCLTech, either directly via career portals, third-party platforms, or indirectly via referrals, third-party human resources agency, and any other platforms as may be applicable. This notice (the “Notice”) outlines and explains how HCL Technologies Limited including its subsidiaries, local employing entities, associates, and affiliated companies [acting as an Employer , collectively referred to as “HCLTech”, “us,” “our”, or “we”] will process your Personal Data in accordance with applicable privacy legislation(s). Our EU representative is HCL (IRELAND) INFORMATION SYSTEMS LIMITED, C/O TMF Group Ground Floor, Two Dockland Central, Guild St, North Dock, Dublin, Ireland D01 K2C5.
Please refer to ‘Annexure B’ for definitions.
What Does This Notice Cover?
This Notice aims to provide you with information on what Personal Data we process about you, why and how we process your Personal Data, including details on the privacy principles we will abide by, and informing you of certain rights you may be able to exercise on your Personal Data.
This Notice applies to all job applicant(s)/candidate(s) of HCLTech globally, subject to local caveats highlighted herein.
In certain circumstances, we may provide you with an additional notice regarding the processing of your personal data. Such notices will generally set out further processing purposes that are not addressed in this Notice. Any such notice shall operate as a supplemental notice, applying solely to the specific circumstances identified therein, and shall not affect the validity or applicability of this Notice.
What Personal Data Do We Process?
For the purposes of this Notice, ‘Personal Data’ means any information about you from which you can be identified (whether derived from that information on its own or when combined with other information that we or another party may hold about you).
As part of your recruitment and/or onboarding process, Personal Data may be either provided to us by you or collected through a third party as part of your recruitment process with HCLTech. Such Personal Data may include but is not limited to:
- Identifying data, such as name, email address or username;
- contact details, such as postal address and telephone number;
- recruitment-related information, such as right to work authorisation, citizenship, date of birth, residency, government issued identifiers, previous work experience information (including previous employer references), qualifications and work history, educational background, language skills, professional skills and talents, professional membership, community engagement, geographic location preferences, and recruitment company reports (where available), salary expectations, remuneration details (where allowed), interactions over emails, webchats, audio/video conversations; and
- Any other Personal Data you voluntarily provide during the job application process for our consideration.
Special Categories of Personal Data
HCLTech may process Special Categories of Personal Data such as, racial/ethnic origin, and health information, in limited circumstances and only where we are permitted to do so e.g. to carry out our obligation(s) and exercise our right(s) in relation to employment law or any other law as it may apply to us. Additionally, HCLTech may request you to provide Special Categories of Personal Data, such as your biometric data for ID verification, and to prevent fraud. These checks shall be conducted based on your informed consent. HCLTech takes the protection and security of your Special Categories of Personal Data seriously, and the highest level of technical and organisational security controls are applied when we process your Special Categories of Personal Data.
Why We process your Personal Data?
- We process your Personal Data for specified purposes and on the following legal grounds, for the various situations which may arise during the job application process with us:
- As it may be necessary for preserving our or a Third Party’s legitimate interests or legitimate use as per the applicable laws (please see ‘How do We use your Personal Data?’ section below.);
- The Processing is necessary for us to perform contractual obligation(s) in respect of your employment or engagement with HCLTech e.g., the steps taken to enter into a contract with you, if your candidature is successful.
- As it is, or if it becomes, necessary to comply with any legal obligation(s), including but not limited to, any local law(s), to the extent of the applicability of such law(s);
- Data Processing based on your Consent.
- In exceptional circumstances you may request us to disclose your Personal Data to Third Parties or organisations such as a law firm handling a Data Subject claim on your behalf, or otherwise.
- There may also be exceptional circumstances, where you may explicitly Consent to the Processing of your Personal Data, but only if the Consent is truly freely given and unambiguous e.g., Consent to publish your photograph on marketing materials.
How We Use Your Personal Data?
We process your Personal Data, for the purposes including but not limited to the ones enlisted below, via both manual and automated means. We will always have human intervention in your candidacy assessment and never solely rely on Automated Decision-Making, including Profiling.
Talent Acquisition and onboarding:
| Purpose | Legal Basis | Categories of recipients with whom we may share your Personal Data outside of HCLTech |
|---|---|---|
| If your application is successful and you agree to join HCLTech we need to capture Personal Data to execute your employment contract and/or comply with legal and regulatory requirements as per the applicable laws. | Processing is necessary to (i) perform contractual obligation(s) in respect of your employment or engagement with HCLTech; (ii) to comply with applicable legal obligation(s). |
|
Determining a candidate’s eligibility for employment or engagement with HCLTech and its clients, including, but not limited to:
| Processing is necessary (i) to perform pre-contractual and contractual obligation(s) in respect of your employment or engagement with HCLTech, (ii) based on your consent and/or (iii) for preserving our legitimate interests in properly carrying out hiring and staffing procedures. |
|
Validating your identification details to prevent impersonation and fraud, in the manner and to the extent legally permissible as per local laws. Please note: In case your role requires working on HCLTech client engagements, clients may require their own additional ID verification process. Please refer to your job description and/or client’s provided privacy notices for more details. | Processing is necessary (i) to perform pre-contractual and contractual obligation(s) in respect of your employment or engagement with HCLTech, (ii) based on your consent and/or (iii) for preserving our legitimate interests in properly carrying out hiring and staffing procedures. |
|
Conducting background verifications to determine your eligibility for employment or engagement with:
| Processing is necessary (i) to perform pre-contractual and contractual obligation(s) in respect of your employment or engagement with HCLTech, (ii) based on your consent and/or (iii) for preserving our legitimate interests in properly carrying out hiring and staffing procedures. |
|
| To process your Personal Data in order to comply with a legal obligation or providing information to a public body or law enforcement agency, as applicable. | Processing is necessary to comply with applicable legal obligation(s). | HCLTech may sometimes be required to disclose your information to external Third Parties such as to local labour authorities, courts, and tribunals, regulatory bodies, and/or law enforcement agencies for the purpose of complying with applicable laws and regulations, or in response to legal process |
Where relevant, appropriate, and subject to local data protection regulations:
| Processing is necessary to comply with applicable legal obligation(s). | HCLTech may sometimes be required to disclose your information to external Third Parties such as to local labour authorities, courts, and tribunals, regulatory bodies, and/or law enforcement agencies for the purpose of complying with applicable laws and regulations, or in response to legal process |
| Improving our application and recruitment process through feedback forms/surveys as applicable. | Processing is necessary based on your consent. |
|
| Customizing individuals’ online experience and improve the performance, usability, and effectiveness of HCLTech ’s online presence. | Processing is necessary to preserve our legitimate interests in properly carrying out hiring and staffing procedures. |
|
| To add your details to our talent pool, and contact you if we have any new opportunities, unless you advise us to remove your details | Processing is necessary to preserve our legitimate interests in advising you about new opportunities. |
|
With Whom We Share Your Personal Data
We share your Personal Data on a need-to-know basis and only with employees or teams of HCLTech who need to Process your Personal Data as per the terms of this Notice. Whenever we permit a Third Party to access Personal Data, we will make sure the data is used in a manner consistent with this Notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the data).
Please note, in some circumstances, we use Third Parties to support us with activities such as background checks, identity verification, recruitment and screening. Prior to sharing your Personal Data with them, we ensure that such parties have implemented appropriate safeguards and controls in relation to the protection of your Personal Data. In addition to the Third Parties’ legal obligations, we require that such Third Parties be contractually obligated to safeguard your Personal Data.
In some cases, these Third Parties may qualify as Controllers who process your Personal Data for their own purposes. Please refer to these Controllers’ privacy notices or statements.
How Long Do We Retain your Personal Data?
We retain your Personal Data for as long as it is necessary to fulfil the purposes for which it is processed. We may need to retain your Personal Data to comply with other Applicable Laws, for auditing purposes, or to support any legal claims, but only for as long as required under the obligations put forth by such laws.
Is Your Data Transferred Across International Borders?
HCLTech is a global organisation, so your Personal data, may be transferred for any of the above stated purposes to different global locations. These transfers will be undertaken in compliance with applicable law(s) and regulation(s).
If, it is necessary to transfer your Personal Data from your habitual place of residence to countries that do not offer adequate protections, then we will ensure that appropriate safeguards, as required by applicable laws, are put in place prior to the transfer of the data. For example, by incorporating standard contractual clauses (more information about such clauses is available here) or Binding Corporate Rules (BCRs) into contract(s) / data transfer agreement(s) established between the parties transferring the Personal Data. A copy of which can be requested, by registering your request at Data Subject Request Portal.
What are your rights and how can you exercise them?
Depending on your relationship with HCLTech you may have several rights in relation to your Personal Data. Please refer to Annexure A for information on Data Subject Rights. Please note, these rights are subject to exemption(s) and may not apply in all circumstances. If you wish to exercise these rights, then HCLTech will provide you with the requested information or action your request within one month after receipt of your verified request or as per the stipulated timelines governing your region, subject to any extensions that may be required and communicated to you.
You can use the following channels to exercise your rights or request more information about your rights:
- Submit your requests on the Data Subject Request Portal which can be accessed through HCLTech.com (via the Online Privacy Statement accessible via the link at the footer of each webpage).
- Alternatively, you can contact HCLTech’s Privacy Office via privacy@hcltech.com if you have any general queries.
How Do We Safeguard your Personal Data?
We implement and maintain appropriate technical, organizational, and physical security measures to protect your Personal Data, and these security measures are in line with industry best practices.
These include, but are not limited to:
- Access to data is based on need to know and least privilege principle to ensure data is only accessible to authorized individuals for performance of their duties.
- Layered security controls ranging from perimeter security to end user machine level controls such as Firewalls, Spam protection, Antivirus and Spyware solutions, security awareness trainings and incident management etc.
- To further reduce the risk associated with Data Processing, we make use of Pseudonymisation / Anonymization techniques where possible.
- Using Encryption mechanisms, where appropriate such as email Encryption, Encryption of data during transfer, secure VPN access and disk/file level Encryption, etc.
- Third Parties that process Personal Data on our behalf, do so based on written instructions and are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
What happens if you do not provide your Personal Data?
During the job application and pre-joining formalities, it is in your and our best interest for you to provide HCLTech with Personal Data, in particular certain information as mentioned above, such as contact details, education and professional experience details. Some personal data, such as your right to work in a particular jurisdiction, may have to be provided to enable HCLTech to enter into a contract of employment with you.
Certain information may be necessary to fulfil legal obligation under employment, Tax and other Applicable Laws and regulations and to exercise your statutory rights.
If you do not provide the necessary information, this will impact our ability to assess or consider your application.
If you give us the Personal Data of another person for example a referral or referee, we assume you have their permission to share their data with us.
How Do We Update This Notice?
We may update this Notice from time to time. We will post any updated version of this Notice on the HCLTech public facing websites and other relevant portal(s). We may also communicate changes to this Notice to you by email or by other necessary mean(s), if need be. Except as otherwise stated in this Notice, any updates to this Notice will be effective from the date on which they are communicated to the relevant parties.
Who can you contact?
Any questions or concerns about the operation of this document should be addressed to the relevant HR personnel who may have been in contact with you.
If you are an EU/EEA, UK or Switzerland applicant/candidate, and you have any concerns about how your Personal Data has been processed then you can contact the HCLTech ’s Data Protection Officer via hcldpo@hcltech.com.
If you are an applicant/candidate from India, and you have any concerns about how your Personal Data has been processed then you can contact the Grievance Officer for India at grievance-india@hcltech.com.
If you are an applicant/candidate that does not belong to EU/EEA, UK, Switzerland or India, and you have any concerns about how your Personal Data has been processed then you can contact the Global Privacy Office via privacy@hcltech.com.
Complaints
We want to address any privacy concerns you may have, so please contact us in the first instance. If you have any complaints about how your Personal Data is processed then you can submit your request on the Data Subject Request Portal under the request type– ‘File a Complaint’ or you may contact the Global Privacy Office at privacy@hcltech.com.
You also have the right to lodge a complaint with a data protection Supervisory Authority in the jurisdiction of your habitual residence, place of work or place of the alleged infringement.
Annexure A - Data Subject Rights:
Your rights may differ depending on applicable local laws. Generally, you may be entitled to: object to the Processing of Personal Data, access your data and have inaccurate data corrected, obtain a copy of Personal Data (in some cases in a portable format), ask us about any relevant details of Processing, ask for erasure or restriction of Processing, and to a lodge complaint with relevant authorities (in particular in the country where you live, work or where the alleged infringement took place). These rights can be summarised in broad terms with the EU/UK General Data Protection Regulation as a baseline:
Right of access
You have the right to confirm with us whether your Personal Data is processed, and if it is, to request access to that Personal Data including the categories of Personal Data processed, the purpose of the Processing and the recipients or categories of recipients. We can only provide you with your Personal Data, not Personal Data about another person. Also, where access would adversely affect another person’s rights, we are not required to provide this. Due to legal privilege, there are some records we are not able to share in connection with a claim or legal proceeding.
Right to rectification
You may have the right to rectify inaccurate or incomplete Personal Data concerning you. We encourage you to review this information regularly to ensure that it is accurate and up to date.
Right to erasure (right to be forgotten)
You may have the right to ask us to erase Personal Data concerning you. The right to erasure does not apply where your information is processed for certain specified reasons, including for the exercise or defence of legal claims.
Right to restriction of processing
In certain situations, you have the right to ‘block’ or suppress further use of your information. When Processing is restricted, we can still store your information but may not use it further. We keep lists of people who have asked for further use of their Personal Data to be ‘blocked’ to make sure the restriction is respected in future. This may affect our ability to provide services to you.
Right to data portability
You may have the right to receive Personal Data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format and you may have the right to transmit that data to another entity.
Right to object and rights relating to Automated Decision-Making
Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the Processing of your Personal Data, including Profiling, by us and we can be required to no longer process your Personal Data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.
Right to grievance redressal
As per the India’s Digital Personal Data Protection Act 2023, you may have the right to have readily available means of registering a grievance with us.
Right to nominate
As per the India’s Digital Personal Data Protection Act 2023, you have the right to nominate any other individual to exercise these rights in the event of death or incapacity.
If you are a California resident, please visit the following link for more details about your rights.
You are entitled to receive your Personal Data free of charge except in the following circumstances where we may charge a reasonable fee to cover our administrative costs of providing the Personal Data for:
- manifestly unfounded or excessive/repeated requests, or
- further copies of the same information.
To exercise any of the above mentioned rights please submit your request through our Data Subject Request Portal.
Annexure B – Definitions:
| Applicable Law | Local laws applicable to HCLTech. |
| Employer | The local entity which offers employment and/or is demarcated as employer on the employment agreement signed by the employee. |
| Controller | The entity/person who (either alone or jointly or in common with other entities/persons) determines the purposes for which and the manner in which any Personal Data are or are to be processed. |
| Processor | Any person or an entity who processes the data on behalf of the Controller. |
| Data Subject | Any identified or identifiable living individual natural person. Note: A Data Subject may be referred to by other terminologies in different jurisdictions. A data subject is called a data principal as per Indian jurisdiction. |
| Personal Data | Any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity. |
| Special Categories of Personal Data | Any Personal Data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. |
| Data Processing/ Processing | Any operation or set of operations which is performed on personal data, such as collecting, recording, organizing, storing, adapting, or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making the data available, aligning or combining data, or blocking, erasing or destroying data. Not limited to automatic means. |
| Encryption | The method by which plaintext or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key. |
| Automated Decision-Making | Subject to local applicable law, every data subject has the right not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him. |
| Supervisory Authority | Independent Authority or division associated with an Authority in any relevant jurisdiction, whose primary purpose and function is to regulate matters related to personal data. |
| Pseudonymisation | The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. |
| Anonymization | The process of either encrypting or removing personal data from a database, so that the individuals whom the data describe remain anonymous. This is done for the purpose of protecting individuals’ private activities while maintaining the integrity of the data gathered and shared. |
| Consent | Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
| Profiling | Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. |
| Third Party | A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data. |