Privacy Notice under the California Privacy Rights Act (“California Notice”) - CA Residents
If you are a California resident and a job applicant of Atara Biotherapeutics, Inc., this serves as our privacy notice to you in compliance with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). We will refer to the CCPA and CPRA collectively as “California Privacy Laws”.
This California Notice refers only to rights under the California Privacy Laws. However, other California laws may govern access to certain employment records. For example, California Labor Code Section 1198.5 governs an employee’s right to inspect and receive a copy of certain personnel records the employer maintains relating to the employee’s performance or any grievance concerning the employee. We reserve the right to object to a request under this California Notice to the extent it conflicts with obligations we may have such other California laws or under federal laws.
This California Notice supplements our Atara Global Privacy Policy and is applicable to the extent Atara Biotherapeutics, Inc. is subject to the California Privacy Laws.
Under the California Privacy Laws, Personal Information for purposes of this California Notice is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Notice of Personal Information We Collect and Have Collected in the Past 12 Months
Category | Collected | Business or Commercial Purpose | Categories of Sources of Personal Information |
A. Identifiers. | Name, postal address, email address, social security number, driver’s license number, passport number or similar identifiers. | To process employment applications, payroll and benefits administration, human resources administration, regulatory compliance, internal and/or external or governmental compliance investigations, internal or external audits, litigation evaluation, prosecution and defense, diversity and inclusion initiatives, relocation, compliance with statutory requirements. | From the candidate directly, or from contracted service providers such as staffing agencies, recruiting software, other service providers, and company operating systems. |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | Name, signature, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, or employment history. | To process employment applications, payroll and benefits administration, human resources administration, regulatory compliance, internal and/or external or governmental compliance investigations, internal or external audits, litigation evaluation, prosecution and defense, diversity and inclusion initiatives, relocation, compliance with statutory requirements. | From the candidate directly, or from contracted service providers such as staffing agencies, recruiting software, other service providers, and company operating systems. |
C. Protected classification characteristics under California or federal law. | Age (40 years or older), race, national origin, citizenship, or creed, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status. | To process employment applications, payroll and benefits administration, human resources administration, regulatory compliance, internal and/or external or governmental compliance investigations, internal or external audits, litigation evaluation, prosecution and defense, diversity and inclusion initiatives, relocation, compliance with statutory requirements. | From the candidate directly, or from contracted service providers such as staffing agencies, recruiting software, other service providers, and company operating systems. |
D. Commercial information. | No. | N/A | N/A |
E. Biometric information. | No. | N/A | N/A |
F. Internet or other similar network activity. | No. | N/A | N/A |
G. Geolocation data. | No. | N/A | N/A |
H. Audio, electronic, visual, thermal, olfactory, or similar information. | No. | N/A | N/A |
I. Professional or employment-related information. | Current or past job history or performance evaluations | To verify previous employment for background checks. | From the candidate directly, or from contracted service providers such as staffing agencies, recruiting software, other service providers, and company operating systems. |
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). | No. | N/A | N/A |
K. Inferences drawn from other Personal Information. | No. | N/A | N/A |
L. Sensitive Personal Information. | Social security, driver’s license, state identification card, or passport number. | To verify previous employment for background checks. regulatory compliance, internal and/or external or governmental compliance investigations, internal or external audits, litigation evaluation, prosecution and defense, diversity and inclusion initiatives; restructuring and relocation, compliance with statutory requirements. | From the candidate directly, or from contracted service providers such as staffing agencies, recruiting software, other service providers, and company operating systems. |
Notice of Personal Information Sold or Shared To Third Parties In the Past 12 Months
We have not sold or shared (for cross-context behavioral advertising) Personal Information to third parties in the past 12 months. Therefore, we are not required to provide an opt-out from the sale or sharing of such information.
Statement of Use or Disclosure of Personal Information In the Past 12 months
We have not disclosed Personal Information to third parties in the past 12 months, except as follows: (1) identifiers as required in response to discovery requests in litigation; (2) identifiers and other required Personal Information elements as legally required by applicable governmental entities, agencies, and/or regulatory authorities.
Statement Regarding Use and Disclosure of Sensitive Personal Information
We do not infer characteristics from your Sensitive Personal Information and do use or disclose your Sensitive Personal Information except for purposes permitted under California Privacy Laws. Therefore, we are not required to provide a Right to Limit the use of such information.
Your Rights Under California Privacy Laws
You have the following rights under California Privacy Laws:
• The right to know what Personal Information we have collected about you, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom we have disclosed Personal Information, and the specific pieces of Personal Information we have collected about you (“Right to Know”);
• The right to delete Personal Information that we have collected from you, subject to certain exceptions (Right to Delete”);
• The right to correct inaccurate Personal Information that we maintain about you (“Request to Correct”); and
• The right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CPRA, including your right not to be retaliated against for the exercise of your CPRA rights.
Methods For Submitting Requests to Know, Correct and Delete
You may submit Requests to Know, Requests to Correct and Requests to Delete in one of the following methods: sending an email to privacy@atarabio.com or via mail to:
Atara Biotherapeutics, Inc.
Attn: Privacy Officer
2380 Conejo Spectrum St., Suite 200
Thousand Oaks, CA 91320
You cannot submit a Request to Know more than twice in a 12‐month period.
Verification of Requests
We will need to verify your identity to respond to Requests to Know, Requests to Correct and Requests to Delete. Depending on the nature of the request and the Personal Information that is the subject of the request, we may request two or more pieces of Personal Information for the purpose of verifying the consumer together with a signed declaration under penalty of perjury that the requestor is the consumer whose Personal Information is the subject of the request.
Authorized Agent
As a California resident, you have the right to designate an agent to exercise these rights on your behalf. In such a cases, we may require you to do either of the following: (1) verify your own identity directly with us or (2) directly confirm with the business that you have provided the authorized agent permission to submit the request. Alternatively, you or your authorized agent can provide us a power of attorney pursuant to Probate Code sections 4121 to 4130. Please contact us at privacy@atarabio.com for more information if you wish to submit a request through an authorized agent.
Contact Us
If you have questions about our privacy policies or practices or this California Notice, please contact us at privacy@atarabio.com.
Privacy Notice and Consent - EU & UK Residents
Atara is committed to protecting your privacy and will make efforts to protect your personal data (“Personal Data”) in accordance with this Privacy Notice (“Notice”), which applies to the Personal Data that it collects and processes about job applicants like you.
Data Controllers
Atara and/or its Affiliates (hereinafter referred to as “Atara,” “we,” or “our”), will act as Data Controller and will process your Personal Data, as specified below, by determining purposes and means of its processing, as per the EU General Data Protection Regulation 2016/679 (“GDPR”) and the United Kingdom Data Protection Act and its application of GDPR (“UK GDPR”).
Types of Personal Data
Atara will process, both electronically and manually, your personal information and contact details, including (e.g. your name, title, postal and email address and phone number), as well as professional information about you, including your employer, field of expertise and specialization, immigration status (as applicable), your employment history, and your curriculum vitae (together, “Personal Data”). Personal Data has the meaning given to it under the GDPR and UK GDPR.
Purposes of use of your Personal Data
Atara shall collect and use your Personal Data submitted by you for the following purposes:
- To consider your profile for a current job opening;
- To consider your profile for a future career opportunity within Atara;
- To complete all processes related to securing potential employment at Atara, including, but not limited to, background checks and other steps related to the employment screening process.
Shall Atara need to process Your Personal Data for any additional to the above-mentioned purposes Atara shall request your permission to do so prior to such additional processing.
Lawfulness of Processing
The legal grounds for processing your Personal Data for the above-mentioned purposes are the following:
- Atara may ask for your consent to collect and process your Personal Data. You can withdraw that consent at any time by contacting us as set forth below (GDPR Article 1(a));
- To take steps at your request to process your application for employment (GDPR Article 1(b)) ;
- To comply with our legal obligations (GDPR Article 1(f)); and
- Atara’s legitimate interests in communicating with you about our career opportunities and, as applicable, about the different steps of the recruitment process (GDPR Article 1(c)).
You can withdraw your consent or opt out of the processing to the extent that this may not affect the processing which has already occurred prior and up to the date of such withdrawal.
With Whom Atara Shares Your Personal Data
In order to carry out the aforementioned purposes your data may be transferred and disclosed to:
(1) Atara’s affiliates worldwide, and
(2) third-party service providers, acting as data processors, performing services related to Atara’s business operations and to the purposes specified above (e.g. an HR applicant tracking system provider, staffing agency).
Atara will require its affiliates and the third parties to comply with applicable data protection laws or regulations and Atara policies and procedures to protect the confidentiality and security of the Personal Data that is shared with them. Some of Atara's affiliates and/or third–party service providers may be located in countries outside of the European Union and/or the European Economic Area ("EEA"), where the laws may not offer the same level of data protection as the one available within the EU/EEA. Where your Personal Data will be transferred to third countries, Atara will ensure that all adequate safeguards are in place and that all applicable laws and regulations are complied with in connection with such cross-border data transfers.
How Atara protects your Personal Data and how long Atara retains your Personal Data
Atara will take reasonable and appropriate physical, administrative and technical safeguards to protect the processing of your Personal Data from loss, misuse, unauthorised access, disclosure, alteration or destruction. We will store your Personal Data for a period of three years, after which we will delete the data without undue delay or anonymize it as practically possible.
Your Rights and How to Exercise Them
You may request to be informed about the Personal Data Atara holds about you, access your Personal Data or ask Atara to rectify, erase or block such Personal Data. Furthermore, you may withdraw your consent without having to provide any reasons. To exercise these rights, you can at any time contact us by the means set out in the “How to Reach Us” section below.
In case your data protection related requests are not handled in a timely and appropriate manner you have the right to recourse to the competent data protection supervisory authority by lodging a complaint. A list of the national data protection supervisory authorities in Europe can be found here: https://edpb.europa.eu/about-edpb/board/members_en.
How to Reach Us
If you have any questions about this document or have a request concerning the processing of your Personal Data or your rights please contact our Privacy Officer by writing an email to privacy@atarabio.com.
EU/UK/CA Residents - Consent to use my Personal Data and contact me for recruitment purposes.
By ticking the "I accept" box below, you expressly consent to the processing of your Personal Data/Information in accordance with the above-mentioned information taking into consideration that your consent may be withdrawn at any time without giving any reasons.
Atara and/or any of its Affiliates may use my Personal Data and contact me by any communication channels available (e.g. Post, Fax, phone, SMS, mobile application, email) with respect to current or future Atara career opportunities as described in detail in the above notice.
I am aware that I can exercise my applicable rights, including my right to withdraw my consent (consistent with the privacy laws applicable to me) at any time in writing by email to privacy@atarabio.com or by mail to:
Atara Biotherapeutics, Inc.
Attn: Privacy Officer
2380 Conejo Spectrum St., Suite 200
Thousand Oaks, CA 91320
Full details of how we use your information are available in our Privacy Policy as published in our corporate website, available here: https://www.atarabio.com/privacy-policy/