Candidate Data Privacy Notice

Our personal data processing practices for job applicants and candidates

1. Purpose and Scope of This Notice
2. Who We Are
3. Categories of Personal Data and From Where We Receive Them
4. Purposes and Legal Grounds for Which Rivian Will Collect and Use Your Candidate Personal Data
5. Cross-border Data Transfers (International Transfers of Candidate Personal Data)
6. When Personal Data May Be Shared
7. Data Retention
8. Data Security
9. Your Data Privacy Rights
10. Changes to This Notice
11. Contact Us

1. Purpose and Scope of This Notice

Rivian respects your privacy and we are committed to protecting it. The purpose of this Candidate Data Privacy Notice (the “Notice”) is to inform you how we process your personal information or personal data (within the meaning of the applicable data protection laws) when you apply for employment and/or participate in our recruitment processes (“Candidate Personal Data”).

2. Who We Are

This Notice uses the Term “we”, “us” or “our”, which refers to the legal entity of the Rivian Automotive group of companies (“Rivian Group”) that you have sent an application to or communicated with related to our employment application and recruitment processes. This legal entity is the applicable Data Controller and may be found at the link in Section 11 below.

3. Categories of Personal Data and From Where We Receive Them

We may process the following categories of your Candidate Personal Data:

Contact information, such as your full name, home address, telephone number, and email address.*
Personal Information, such as gender, date of birth, signature, race, ethnic origin, current and past citizenship, marital status, disability, and veteran or military status, if you choose to provide this information.
Communications, such as email, text, or chat messages that we have exchanged with you.
Educational and professional background, such as your work history, academic and professional qualifications, educational records, references, interview notes, and criminal records.*
Employment details, such as your current employment information, including job title, position, hire dates, salary expectations, visa sponsorship needs, work authorization status, and the same information with respect to any previous employment you have held.*
Social media and website profiles, if you choose to provide this information, as well as and other information about you that is publicly available on the internet.
Network and device information, such as your IP address; computer or mobile phone make, model, operating system version, and screen size; MAC ID; operating system and platform; and browser type and version.
Recruiting system usage and interaction, such as your location, device/equipment, actions within the system(s), referring links to job postings (if any), and page visits, with your consent, where required by law.
Security information, such as passwords, security questions, and usernames if you create an account with us.
Preferences, such as your preferences for communication (e.g., language preferences) and positions of interest to you.

The Candidate Personal Data identified above with an (*) is mandatory in order to conduct our recruiting activities. Failure to provide or allow us to process mandatory Candidate Personal Data may affect our ability to consider you for employment.

We may collect Candidate Personal Data directly from you, as a job applicant, including when you submit an online or paper job application and any associated documents, such as a cover letter or resume, and in the course of subsequent communications and/or interviews following submission of your application. We may also collect Candidate Personal Data via automatic means, such network and device information and recruiting system usage and interaction information, as noted above, if you have not opted out of this collection. We may also receive Candidate Personal Data from third parties, with your consent, where required by law, such as through a background, employment, or reference check; from a staffing agency or equivalent; or from public sources such as LinkedIn.

4. Purposes and Legal Grounds for Which Rivian Will Collect and Use Your Candidate Personal Data

We process your Candidate Personal Data where necessary:

With your explicit consent (if applicable law requires consent), e.g., when allowing us to track certain interactions in our recruiting system and retain and use your application to inform you about and consider you for other positions that may be appropriate for you;
To carry out our application and recruitment process and take steps necessary to establish an employment relationship or enter into an employment contract with you at your request, e.g., communicating with you about the recruitment process and your application;
To comply with a legal obligation that applies to us, e.g., to create and submit reports as required by applicable laws or regulations, or to confirm your legal eligibility to work in a given jurisdiction; and
For our legitimate interests or the legitimate interests of third parties. We process your Candidate Personal Data based on the following legitimate interests:
- Identifying and evaluating job applicants, including assessing skills, qualifications, and interests for the purposes of determining eligibility and suitability for the position for which you have applied;
- Verifying your information and carrying out employment, background, and reference checks, where applicable, subject to your consent where required by applicable law;
- Keeping records related to our hiring processes, for only as long as required by law or other internal retention requirements;
- Complying with our legal, regulatory, or other corporate governance requirements;
- Analyzing and improving our application and recruitment process, including identifying from where candidates navigated to our job postings;
- Preventing fraud associated with our recruitment or employment processes;
- Ensuring network and Information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution; and
- As otherwise required or permitted by applicable law.

If you would like for us to consider you for positions other than the one for which you have applied, you may instruct us to do so and we will retain and use your Candidate Personal Data for that purpose.

5. Cross-border Data Transfers (International Transfers of Candidate Personal Data)

Candidate Personal Data may be transferred or stored internationally, including to or in countries that do not have data protection laws equivalent to those in the country where you reside or where your personal data is collected, for the purposes described in Section 4 above.

For transfers of Candidate Personal Data from the European Economic Area (“EEA”) Member States or UK to countries for which the EU Commission or the UK Information Commissioner’s Office has issued an adequacy decision saying the level of data protection is equivalent to the level within the UK or EU, we can rely on those adequacy decisions; this applies, inter alia, for data transfers between the UK and EEA Member States.
For transfers of Candidate Personal Data from Serbia to countries from the list of countries providing an adequate level of protection of personal data that is maintained by the Serbian Government, we can rely on that list.
For any transfers of Candidate Personal Data from the EEA, UK, or Serbia to countries not considered to provide an adequate level of protection of personal data by default, Rivian has implemented appropriate safeguards to provide the necessary level of data protection, primarily by entering into appropriate data transfer arrangements based on approved standard contractual clauses.
Candidate Personal Data about Canadians or that is collected in Canada may be transferred or stored outside of Canada, including to/in the United States, the United Kingdom, and the European Union, and may be subject to the laws and accessible to the courts, law enforcement and national security authorities of such jurisdictions. Please contact our Canadian Privacy Officer as listed in Section 11 below if you wish to ask a question or obtain written information about our policies and practices with respect to service providers and other members of the Rivian Group outside of Canada who may process or store Candidate Personal Data.

6. When Personal Data May Be Shared

Candidate Personal Data may be accessed by or disclosed to Rivian employees who have a need to know such information in order to perform their duties and responsibilities. Such employees may include those in the People Team, Finance, Legal, and the team(s) to which the Candidate has applied, depending upon the information they each require in order to perform their job duties and responsibilities. This access or disclosure may include transfers of Candidate Personal Data to other members of the Rivian Group, who may use Candidate Personal Data for the same purposes described in Section 4 above.

Candidate Personal Data may be held at offices of Rivian, including in the United States, the United Kingdom, the European Union, and in the cloud, as well as shared with third party staffing agencies from which we may source candidates and service providers such as those providing background checks. We may also share Candidate Personal Data with other third parties if you authorize us to do so or where the sharing of Candidate Personal Data is otherwise permitted or required by applicable law.

Where legally required, we have entered into data processing agreements with external service providers and other members of the Rivian Group that meet the requirements of applicable data protection laws, including Art. 28(3) EU/UK GDPR (where applicable). For example, all Candidate Personal Data will be shared with Greenhouse Software, Inc., a cloud services provider located in the United States who is engaged by Rivian to help manage its recruitment and hiring process on Rivian’s behalf and may use Candidate Personal Data for this purpose. That transfer will be subject to appropriate safeguards, including, where applicable, under standard contractual clauses as described above. For more information on data transfers, please contact us as shown in Section 11 below.

7. Data Retention

We will retain your Candidate Personal Data for a minimum of six months after we have informed you of the outcome of the recruitment process. We may keep the data longer if:

it is necessary for the purpose of fulfilling a legal obligation which includes the processing of personal data;
it is necessary for other accounting or reporting requirements;
we need to process the data for the establishment, exercise or defense of legal claims; and/or
you have provided your consent for us to retain the data for a longer period, consistent with our standard data retention practices.

To determine the appropriate retention period for Candidate Personal Data, we consider our legal obligations, the amount, nature, and sensitivity of the Candidate Personal Data, the potential risk of harm from unauthorized use or disclosure of your Candidate Personal Data, the purposes for which we process your Candidate Personal Data, and whether we can achieve those purposes through other means.

Under some circumstances we may anonymize or de-identify your Candidate Personal Data so that it can no longer be associated with or used to identify you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent, unless required by law.

If you are offered and accept employment with Rivian, the Candidate Personal Data we collected during the application and recruitment process will become part of your employment record, and we may use it in connection with your employment consistent with our internal policies and as described in our Workforce Personal Data Privacy Notice. If you do not become an employee, or, once you are no longer an employee of Rivian, we will retain and securely destroy your Candidate Personal Data in accordance with our record retention policies and applicable laws and regulations.

8. Data Security

We have in place appropriate security measures intended to prevent your Candidate Personal Data from being accidentally lost or used or accessed in an unauthorized way, including encryption of this information in transit and at rest and the implementation of controls designed to limit access to your Candidate Personal Data to those Rivian personnel who have a genuine business need to know it. Those Rivian personnel who process your Candidate Personal Data are required to do so only in an authorized manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and/or any applicable regulator of a suspected data security breach where we are legally required to do so in accordance with any legally prescribed timeframes.

Despite our implementation of these measures, posting or transmission of personal data via the internet, including using our recruiting system, by email or by other electronic means, is not completely secure. We cannot guarantee that personal data that is transmitted to us, particularly by electronic means, will be totally secure. It is possible that third parties may unlawfully intercept or access such data.

9. Your Data Privacy Rights

It is important that the Candidate Personal Data we hold about you is accurate and current. Please keep us informed if your Candidate Personal Data changes during the recruitment process.

Depending on your location and applicable laws and regulations, you may have data privacy rights regarding Rivian’s processing of your personal data. Provided that the respective legal requirements are met, and based on the legal requirements applicable to your jurisdiction, subject to any legal restrictions or exceptions, you may have the right to:

request confirmation from us as to whether or not your personal data is being processed by Rivian and, if so, access to such data and/or the more detailed circumstances of the data processing (right of access / right to know);
demand that we correct any inaccurate personal data relating to you without undue delay. In this context, taking into account the purposes of the processing, you may also have the right to request the completion of incomplete personal data – also by means of a supplementary declaration (right to rectification / correction);
demand from us that your personal data be deleted without delay (right to erasure / deletion / right to be forgotten). In certain circumstances, it may not be possible for us to accept your request, for example, when the processing is necessary to comply with a legal obligation, or if the processing is necessary for the performance of a contract;
require us to restrict processing (right to restriction of processing). In certain circumstances, it may not be possible for us to accept your request, for example, when the processing is necessary to comply with a legal obligation, or if we can demonstrate compelling legitimate grounds otherwise;
in case of processing based on consent or for the performance of a contract, receive the personal data concerning you that you have provided to us in a structured, commonly used and machine-readable format and transfer this data to another controller without hindrance from us; insofar as this is technically feasible, we will transfer the data directly to the other controller (right to data portability);
object to processing of your personal data, on grounds relating to your particular situation, to the processing of personal data concerning you which is (i) necessary for the performance of a task carried out in the public interest, (ii) carried out in the exercise of official authority vested in us, or (iii) processed by us on the basis of our legitimate interest (right to object). In this case, where applicable, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims; or
lodge a complaint with a supervisory authority at any time if you are of the opinion that the processing of personal data relating to you violates applicable law.

If the complaint relates to provisions of the EU GDPR, you can lodge such complaint with a supervisory authority in particular in the Member State of your place of residence, your place of work or the place of the alleged infringement. You may identify the applicable lead supervisory authority based on your location on the European Data Protection Board website. If the complaint relates to provisions of the UK GDPR, you can lodge such complaint with the Information Commissioner’s Office. If the complaint relates to provisions of the Serbian Data Protection Act, you can lodge such complaint with the Commissioner for Information of Public Importance and Personal Data Protection.

Where you have been asked to give and have given consent to Rivian’s collection, use or disclosure of your Candidate Personal Data, you may change your mind and withdraw that consent at any time, subject to reasonable notice and any contractual or legal exceptions, without affecting the lawfulness of our processing of your Candidate Personal Data based on consent before its withdrawal. Please note, however, that varying or withdrawing your consent may affect our ability to communicate with you and/or consider you for employment, and we may still need to retain your Candidate Personal Data as noted in Section 7 above.

You can exercise any data subject rights you may have by contacting us as specified in Section 11 below. We will acknowledge and coordinate these requests as timely as possible. Initially, we will respond to any such requests within one month or in accordance with applicable laws. In case we cannot comply with a request or cannot respond within that timeframe, we will generally provide you with the reason for this. We may request specific information from you to help us confirm your identity and your rights. Applicable law may allow or require us to refuse to provide you with access to some or all of the Candidate Personal Data that we hold about you, or we may have destroyed, erased, or made your Candidate Personal Data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your Candidate Personal Data, we will generally inform you of the reasons why, subject to any legal or regulatory restrictions.

10. Changes to This Notice

We reserve the right to update this Notice at any time, and we will provide you with a new Notice when we make any material updates. If we would like to use your previously collected Candidate Personal Data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your Candidate Personal Data for a new or unrelated purpose. We may process your Candidate Personal Data without your knowledge or consent only where permitted or required by applicable law or regulation.

Last Revised: September 19, 2022

Effective Date: September 19, 2022

11. Contact Us

If you have any questions or concerns about our processing of your Candidate Personal Data, this Notice or would like to alter or withdraw your consent or exercise your privacy rights, please contact us as specified below based on your location:

US/Other: By email at privacy@rivian.com or by mail at Attn: Privacy Officer, 14600 Myford Road, Irvine, CA 92606.
Canada: Attn: Privacy Officer, by email at privacy@rivian.com, by telephone at (844) 748-4261 or by mail at 1038 Homer Street, Vancouver, BC V6B 2W9.
EU/UK: By email at dpo@rivian.com or by writing to Herengracht 433, Unit 2.01 and 2.02, 1017 BR Amsterdam, The Netherlands.
Serbia: By email at dpo@rivian.com or by writing to Rivian SE Europe d.o.o. Beograd, c/o Petrikić & Partneri AOD, in cooperation with CMS Reich-Rohrwig Hainz, Krunska 73, 11000 Belgrade, Serbia

You may view the list of Rivian Data Controllers within the meaning of applicable privacy laws at this webpage.