Candidate privacy notice

Last updated and effective date: 16 June 2026

Welcome to the OAG recruitment privacy notice

The purpose of this OAG Recruitment Privacy Notice ('Notice') is to inform you about how we collect, use, store, share, and protect your personal data in connection with our recruitment activities. It also outlines your rights as a data subject, identifies the relevant data controllers, and provides contact details for any questions or concerns.

1. Who we are

This Notice covers the processing of personal data carried out by OAG Aviation Worldwide Limited, registered in England and Wales, No. 08434134, registered address at 1 Capability Green, Luton, Bedfordshire, LU1 3LU, United Kingdom, and its affiliated group companies, including:

  • OAG Aviation Worldwide Limited

  • OAG Aviation Worldwide LLC

  • OAG Aviation Worldwide Pte Ltd

  • OAG Aviation Worldwide, UAB

  • Infare Solutions A/S

  • Infare VNO, UAB

  • Air Cube SAS

Further information about our group companies is available at oag.com/office-locations.

The OAG entity to which you have applied is the data controller responsible for the personal data relating to your job application and any employment-related matters concerning that specific entity, whether in connection with employment or contractor engagement.

In this Notice, 'personal data' refers to any information that can identify, relate to, describe, or reasonably be linked – directly or indirectly – to a specific individual. This does not include aggregated or de-identified data that cannot reasonably be connected to an individual.

2. How to contact us

If you have any questions about this Notice or how we handle your personal data, please get in touch:

Address

OAG Aviation Worldwide Limited, 1 Capability Green, Luton, Bedfordshire LU1 3LU, United Kingdom (Attn: Legal Department / Privacy)

Email

privacy@oag.com

Phone

+44 (0)1582 695050

 

Our Data Protection Officer is Sonya Stephens, who can be contacted at privacy@oag.com

To submit a data rights request, please use our online privacy rights form

3. What personal data we collect

Source

Category and details

Directly from you

Contact information – full name, email address, postal address, phone number, and professional networking profile (e.g., LinkedIn).

Directly from you

CV / cover letter information – previous work experience, qualifications, languages, skills, awards, professional memberships, references, and other employment history relevant to the role.

Directly from you

Right to work information – details of your legal entitlement to work in the country or region where the role is based.

Directly from you

Application process data – results of role-specific assessments or tests, including personality tests, logical reasoning tests, and other evaluations. These support our recruiters in assessing suitability; any profiling or automated processing informs but never replaces decisions made by our people. You may object to profiling and ask a team member to consider your application without it; where we cannot reasonably offer an alternative we will explain the implications, which may include that we are unable to progress your application.

Directly from you

Pre-employment data – information required to prepare your employment contract if you are offered and accept a role with an OAG entity.

Directly from you

Other information – any additional data you provide during the interview or recruitment process.

Via third parties

Social media platforms – publicly available information from business and employment-focused networks (e.g., LinkedIn).

Via third parties

Recruitment agencies – data provided by agencies engaged to assist in the recruitment process.

Via third parties

Referees – information from individuals named as referees, including their name and employment history relevant to your reference.

Via third parties

Employee referrals – information provided by an OAG employee who has referred you for a role.

Background checks and criminal records

We conduct background checks as part of our recruitment process where appropriate for the role. We collect information about criminal convictions only where this is legally required or expressly permitted by applicable law for the specific role.

Cookies

When you interact with our website, we collect information via cookies based on your preferences. Cookies are small text files used to enhance your experience. You can manage your preferences via the cookie settings link on our website.

 

Please do not include sensitive personal information (such as your sexual orientation, race, ethnic origin, religion, beliefs, or health-related data) in your CV or cover letter, unless its inclusion is legally required or necessary to help us make reasonable adjustments during the recruitment process.

You are responsible for ensuring that the personal data you provide to us is accurate, up to date and not misleading, and for letting us know if it changes.

 

4. Legal grounds for processing personal data

OAG processes personal data based on the following lawful bases:

  • Consent – where required, we rely on your explicit consent for specific processing activities, such as to incorporate your information into our database of potential future candidates and to communicate with you regarding potential future job opportunities.

  • Legitimate interests – including attracting, identifying, and sourcing talent; processing and managing applications for roles within OAG; screening, assessing and selecting candidates; hiring and onboarding successful candidates; conducting pre-employment screening checks; managing and improving our recruitment processes, systems and careers webpage, including statistical analysis; ensuring the security and integrity of our systems and preventing fraud or misuse; maintaining internal records and conducting audits; protecting and enforcing our legal rights and policies; and the establishment, exercise or defence of legal claims. We may also process your personal data for other purposes that are compatible with those described in this Notice.

  • Performance of a contract – to take steps necessary prior to entering into an employment contract with you, once you have been selected for the role.

  • Legal compliance – to fulfil legal and regulatory obligations applicable to OAG.

Each lawful basis is applied as appropriate to the specific processing activities carried out by OAG.

 

5. Recruitment technology and artificial intelligence

We use third-party recruitment technology to manage and support our hiring process. Some of these tools use artificial intelligence to assist our recruiters, for example by transcribing and summarising interviews, suggesting interview questions or job-description content, and producing recruitment analytics. Where we use these tools, we rely on our legitimate interest in running an efficient, consistent and well-documented recruitment process. Any artificial intelligence is used only to assist our staff: all shortlisting, assessment and hiring decisions are taken by our people, with meaningful human involvement, and are not based solely on automated processing. We do not use these tools to recognise or infer your emotions. Where an interview is to be recorded or transcribed, we will tell you in advance. If you would prefer your interview not to be recorded or transcribed, you may let us know and we will seek to accommodate your request where it is reasonably practicable to do so; where recording or transcription forms an integral part of the process for a particular role, we will explain this to you so that you can decide how to proceed. You may also object to our use of these tools in relation to your data and ask for a human review; you can contact us using the details in Section 2 to do so.

Where we process special category data, for example health information you provide so that we can make reasonable adjustments during recruitment, or diversity monitoring information, we do so only where an additional condition under Article 9 of the UK GDPR and EU GDPR applies, namely the carrying out of our obligations and exercise of our rights in the field of employment or, for voluntary diversity monitoring, your explicit consent.

 

6. Data retention periods

If you are not selected for a vacancy or you reject a job offer, we will retain your profile information for no longer than is necessary for the purposes set out in this Notice and as a general rule we will erase or anonymise it within 6 months after the end of the relevant recruitment process. We may, however, retain some or all of your personal data for a longer period where we consider it necessary or appropriate, including to comply with our legal or regulatory obligations, to establish, exercise or defend legal claims, to deal with any actual or anticipated complaint or dispute, or where you have given consent for us to keep it for future opportunities. Where data is retained on this basis, we will keep it only for as long as the relevant purpose requires and will then securely erase or anonymise it.

At the end of this period, we will write to you to seek explicit consent to retain your personal data for a fixed period, which will be clearly indicated at the time of requesting consent, for any future opportunities that may arise in OAG. If you opt to withdraw consent to retain your personal data, then it will be securely destroyed.

If you are offered and accept employment with an OAG entity, the personal data we collect during the application and recruitment process will be retained and become part of your employment record and we may use such information in connection with your employment consistent with applicable law and our internal policies.

 

7. Disclosures of your personal data

As part of the recruitment process, we may share your personal data with the following categories of third parties, located within or outside the UK and EEA (subject to appropriate contractual safeguards), as necessary:

  • OAG entities: we may transfer your personal data to other entities within the OAG Group (e.g. individuals involved in your interviews or those making employment decisions) in the UK, Europe, and other global locations, for the purposes outlined in this Notice, including facilitating the recruitment process. These transfers are governed by an intra-group agreement that ensures compliance with applicable data protection laws.

  • Authorised OAG representatives – individuals involved in managing the recruitment process or responsible for fulfilling contractual obligations may access your personal data as necessary.

  • Third party service providers – includes recruitment agencies, software platforms, and background screening providers engaged to support the recruitment process. If you have applied via a third-party job search engine, job board, or other recruitment platform (a 'Service Provider'), we may share relevant personal data with them. This may include: your name and contact details, any unique identifier assigned by the Service Provider, your application status or progress in our hiring process, analytical or profile-related data concerning your candidacy. The Service Provider acts as an independent data controller for the personal data it processes and is responsible for complying with applicable data protection laws following receipt of your data.

This list is non-exhaustive; there may be additional instances where we need to share personal data to provide services efficiently or comply with legal obligations.

When engaging third parties, we take all necessary steps to ensure they implement appropriate technical and organisational measures to protect your personal data.

 

8. International transfers

OAG operates globally, and your personal data may be accessed by or transferred to OAG group entities and third-party service providers located outside the UK and EEA, including in the United States and Singapore.

Where personal data is transferred between the UK and EEA countries (or vice versa), we rely on applicable adequacy decisions as the lawful transfer mechanism - specifically, the UK adequacy regulations for EEA-to-UK transfers and the EU–UK adequacy decision for UK-to-EEA transfers.

For transfers to other countries, including the United States and Singapore, we ensure appropriate safeguards are in place in accordance with applicable data protection law. Depending on the provider and destination, these safeguards include:

EU Standard Contractual Clauses (SCCs), each supported by a data protection test to confirm that the standard of protection in the destination country is not materially lower than that provided under UK law, in accordance with the Data (Use and Access) Act 2025;

the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs; or

where a provider is certified under the EU–US Data Privacy Framework and its UK Extension, reliance on that framework as the transfer mechanism.

Some of our recruitment technology providers are based in, or process personal data from, the United States. Where such providers hold current Data Privacy Framework certification (including the UK Extension), we rely on that certification. Where they do not, we rely on SCCs and the UK Addendum as described above.

If you would like further information about the safeguards applicable to any specific transfer, please contact us.

 

9. Data security

We take the security of your personal data seriously and have implemented a range of technical and organisational measures, including:

  • Employee training on privacy obligations and data handling

  • Access controls on a need-to-know basis

  • Technological safeguards including firewalls and anti-virus software

  • Encryption of personal data in transit and at rest

  • Physical security measures including access passes for our facilities

  • Regular security audits and vulnerability assessments

  • Authentication mechanisms for sensitive systems

  • Incident response procedures, including breach notification to you and regulators where legally required

While we take appropriate security measures, no internet transmission (including email) is entirely risk-free. We will always strive to protect your data, but absolute security cannot be guaranteed.

 

10. Third-party websites

Our websites may contain links to third-party websites, plug-ins, applications, information sources, and related party websites. Clicking on these links or enabling such connections may allow third parties to collect or share data about you. Please note that these third-party websites have their own privacy policies, which we do not control or take responsibility for. We recommend reviewing their privacy policies before providing any personal data.

 

11. Your data protection rights

Depending on your location and applicable law, you have the following rights in relation to your personal data:

Your right

What it means

Access

Request a copy of the personal data we hold about you

Correction

Ask us to correct inaccurate or incomplete data

Erasure

Ask us to delete your personal data in certain circumstances

Restriction

Ask us to limit how we use your data in certain circumstances

Objection

Object to processing based on legitimate interests or for direct marketing

Portability

Receive your data in a structured, machine-readable format and transfer it to another provider (where applicable)

Withdraw consent

Where we rely on consent, withdraw it at any time (without affecting prior processing)

Automated decision-making and profiling

Request human review of, or contest, any decision made solely by automated means (including profiling) that produces legal or similarly significant effects for you. This right applies where we engage in such processing.

Complaint

You have the right to lodge a complaint with us at privacy@oag.com or through our privacy rights request form. We will acknowledge and respond to your complaint within 30 days. If you are not satisfied with our response, you may escalate your complaint to a supervisory authority.

UK Residents: You may also lodge a complaint with the Information Commissioner's Office.

EEA Residents: You may file a complaint with your local data protection authority (list available here).

United States (Illinois) Residents: You have the right to contact the Illinois Department of Human Rights in connection with your application.

Singapore Residents: You may lodge a complaint with the Personal Data Protection Commission.

 

To exercise any of these rights, please use our privacy rights request form or contact us.

12. Changes to the notice

We review this Notice regularly and may update it to reflect changes in law, regulatory guidance, or our practices. The latest version will always be available on our websites. Where practicable, we will notify you by email of significant changes. We encourage you to review this Notice periodically.

 

13. Country-specific provisions

The following provisions apply in addition to the rest of this Notice for candidates in the countries below and prevail to the extent of any conflict.

France

Where we use any method or technique to assess you during the recruitment process, we will inform you in advance. The results of any such assessment are confidential. We will not collect information about you by any means that has not first been brought to your attention, and information we request from you is limited to assessing your suitability for the role applied for.

United States (Illinois)

Where we use artificial intelligence or other automated decision-making tools that have a material influence on recruitment decisions for Illinois-based roles, we will notify you of this before or at the point such tools are used, explain how the technology works and the characteristics it is designed to assess, and tell you how you can seek an alternative process or raise a concern. We do not use automated tools in a manner that discriminates against candidates on the basis of a protected characteristic under applicable Illinois law. Where we use artificial intelligence to analyse a recorded video interview for an Illinois-based role, we will notify you in advance, explain the characteristics the technology assesses, obtain your written consent, and restrict access to the recording to those involved in evaluating your application. You may withdraw consent or request deletion of your recording at any time; we will action any such request within 30 days.

Singapore

We collect, use and disclose your personal data with your consent, including deemed consent where you voluntarily provide it for your application, or where permitted under the Personal Data Protection Act 2012; you may withdraw your consent on reasonable notice, and we will inform you of the likely consequences of doing so. We do not collect your NRIC or FIN, or a copy of it, during the application stage unless required by law or necessary to verify your identity to a high degree of fidelity, normally after an offer is made. Where we transfer your personal data outside Singapore, we ensure it receives a standard of protection comparable to that under the Act, for example through contractual safeguards.