Candidate Privacy Notice
Scope and Overview
This Candidate Privacy Notice (“Notice”) describes how Loram Maintenance of Way, Inc., including its subsidiaries, affiliates, and related entities (collectively, “Loram”, “we” or “us”), collects and processes your personal data during the application and recruitment process.
This Notice applies exclusively to individuals applying for employment positions in Brazil and is issued in accordance with the Lei Geral de Proteção de Dados Pessoais (LGPD – Law No. 13.709/2018).
For purposes of both the LGPD, Loram acts as the Data Controller (pursuant to LGPD Article 5, item VI. The competent supervisory authority in Brazil is the Autoridade Nacional de Proteção de Dados (ANPD).
This Notice outlines:
a. the categories of personal data we collect about you;
b. the purposes for which we process your data and the applicable legal bases under LGPD Articles 7 and 11;
c. the measures we adopt to protect and secure your personal data;
d. the third parties with whom we may share your personal data and the applicable mechanisms for cross-border transfers in accordance with LGPD Article 33; and
e. your rights as a data subject, including but not limited to the rights of access, confirmation of processing, correction, anonymization, portability, erasure, objection, and the right to request human review of automated decisions, as provided under LGPD.
Collection and Use of Personal Data
For the purposes of this Privacy Notice, “personal data” refers to any information relating to an identified or identifiable natural person, in accordance with LGPD Article 5, item I. Anonymous or de-identified data that is not associated with a particular individual does not qualify as personal data under this Notice.
Loram may collect personal data directly from you as a job applicant, or indirectly from third parties, such as background screening agencies, former employers, educational institutions, recruitment consultants, or publicly accessible sources, always in compliance with applicable law and, where required, subject to your prior and express consent.
We process personal data only where permitted by applicable law, including:
a. when necessary to perform or enter into a contract, under LGPD Article 7, item V;
b. to comply with legal or regulatory obligations to which Loram is subject, under LGPD Article 7, item II;
c. when necessary for the regular exercise of rights in judicial, administrative or arbitral proceedings, including the protection of Loram’s interests, under LGPD Article 7, item VI and Article 11, item II(c);
d. with your specific and informed consent, when required by law, under LGPD Article 7, item I; and
e. to pursue Loram’s legitimate interests or those of third parties, provided that such interests do not override your fundamental rights and freedoms, under LGPD Article 7, item IX. A legitimate interest assessment will be performed in all such cases.
Where processing is carried out on the basis of legitimate interest under LGPD Art. 7, item IX, or involves the handling of sensitive personal data pursuant to LGPD Article 11, Loram conducts a prior Legitimate Interest Assessment (“LIA”) and prepares the corresponding Data Protection Impact Report (“RIPD”) in accordance with LGPD Article 38 . A public, abridged version of these documents can be obtained upon request by contacting our Data Protection Officer at murilo.martins@loram.com.
In addition to processing your personal data for the purpose of evaluating your candidacy for the position to which you applied, we may retain and use your data to contact you about future employment opportunities that may be aligned with your profile, provided we obtain your prior and express consent for this secondary purpose. If you wish to be considered for other positions, you may contact us as specified in the “Contact Us” section, and we will retain your personal data for that purpose in accordance with the applicable retention schedule.
We will only process your personal data for the purposes for which it was collected or for purposes that are demonstrably compatible. If processing is required for a purpose that is incompatible with those originally disclosed, we will notify you and, where required by law, request your express consent.
In accordance with LGPD Article 11, we process sensitive personal data (such as racial or ethnic origin, health data, or criminal background information) only under specific legal bases, such as compliance with legal obligations, the exercise of rights in proceedings, or based on your express and separate consent.
We will also process your personal data for our own legitimate interests, including for the following purposes:
- To prevent fraud.
- To ensure network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution.
You will not be subject to hiring decisions based solely on automated data processing, including profiling, without your prior consent.
The information below identifies:
- What personal data we process about you;
- Our processing purposes; and
- The lawful basis for processing your personal data.
Contact Information
- Name.
- Address.
- Email address.
- Phone number.
| Processing Purposes | Lawful Basis for Processing |
| Administering your application and considering your suitability for the role. | Pre-contractual measures (LGPD Art. 7, V) – to manage and evaluate your application and facilitate Loram’s internal recruitment process, provided a legitimate interest assessment is conducted and your fundamental rights are not overridden. |
| Making a job offer and entering into a contract of employment with you. | Contract performance (LGPD Art. 7, V) – to take steps prior to entering into an employment relationship and to formalize the employment contract. Legal obligation (LGPD Art. 7, II) – to comply with obligations under labor, social security or tax law. |
| Retaining appropriate recruitment process records. | Legal obligation (LGPD Art. 7, II) – to comply with recordkeeping duties imposed by employment or tax legislation. Exercise of rights (LGPD Art. 7, VI) – to establish, exercise or defend rights in administrative, judicial, or arbitral proceedings. Legitimate interest (LGPD Art. 7, IX) will be employed only where no contractual or legal obligation applies – to document the recruitment process and manage internal controls, with appropriate safeguards. |
Personal Information
- Date of birth.
- Gender.
- Marital or relationship status.
- Personal information contained in your CV, cover letter, or application form.
| Processing Purposes | Lawful Basis for Processing |
| Administering your application and considering your suitability for the role. | Pre-contractual measures (LGPD Art. 7, V) – to evaluate your qualifications, experience, and competencies for the applied role. |
| Making a job offer and entering into a contract of employment with you. | Contract performance (LGPD Art. 7, V) – to take necessary steps prior to entering into a contract and to formalize the employment relationship. Legal obligation (LGPD Art. 7, II) – to comply with labor, tax and social security obligations. Personal data used for this purpose will be limited to that which is necessary, in line with LGPD Art. 6, item III (necessity). |
| Developing, operating, and collecting recruitment and employee selection process feedback. | Public interest (LGPD Art. 7, §4º) – to ensure equal opportunities and prevent bias and systemic discrimination, in line with labor equality mandates. Legitimate interest (LGPD Art. 7, IX) will be employed only where no contractual or legal obligation applies – to document the recruitment process and manage internal controls, with appropriate safeguards – to improve internal recruitment procedures and enhance fairness in candidate evaluation. |
| Retaining appropriate recruitment process records. | Legal obligation (LGPD Art. 7, II) – to meet employment law and tax compliance requirements. Exercise of rights (LGPD Art. 7, VI) – to establish, exercise, or defend rights in judicial, administrative or arbitral proceedings. Legitimate interest (LGPD Art. 7, IX) will be employed only where no contractual or legal obligation applies – for internal audit purposes and recruitment process traceability. |
Identity and Background Information
In the context of your application and our recruitment process, we may collect and process the following categories of personal data, strictly for legitimate and specified purposes and in accordance with applicable data protection laws, including the Brazilian General Data Protection Law (LGPD):
a. Information related to your education, academic and professional qualifications, and respective results;
b. Employment history, professional experience, and skills;
c. Identification documents such as passport or other legally accepted identification information;
d. Information regarding your residency status, work authorization, or visa eligibility, provided such information is not related to your race or ethnicity;
e. Curriculum vitae (CV), resumé, and other professional profile materials;
f. Data voluntarily provided in your application form;
g. Evaluative notes, internal assessments, and decisions resulting from phone screenings and interviews;
h. Information related to your compensation expectations, job preferences, geographic mobility, and willingness to relocate;
i. Contact information of referees provided by you;
j. Information obtained from references issued by previous employers, academic institutions, or other professional contacts.
All personal data will be processed exclusively for the purposes of evaluating your application, complying with applicable legal and regulatory obligations, and managing recruitment-related operations, in line with the principles of necessity, purpose limitation, data minimization, and transparency.
| Processing Purposes | Lawful Basis for Processing |
| Administering your application and considering your suitability for the role. | Pre-contractual measures (LGPD Art. 7, V) – to evaluate your professional qualifications and communicate with you during the recruitment process, provided a legitimate interest assessment is conducted and appropriate safeguards are implemented. |
| Administering and reviewing your skill testing results. | Pre-contractual measures (LGPD Art. 7, V) – to assess your technical and behavioral compatibility with the requirements of the role and maintain consistent evaluation criteria across candidates. |
| Making a job offer and entering into a contract of employment with you. | Contract performance (LGPD Art. 7, V) – to take steps at your request prior to entering into a contract and to formalize the employment relationship. Legal obligation (LGPD Art. 7, II) – to comply with obligations established under labor, social security, and tax law. |
| Developing, operating, and collecting recruitment and employee selection process feedback. | Exercise of rights (LGPD Art. 7, VI) – to improve recruitment practices and selection efficiency. Public interest (LGPD Art. 7, §4º) – to ensure compliance with equal opportunity and anti-discrimination obligations. |
| Retaining appropriate recruitment process records. | Legal obligation (LGPD Art. 7, II) – to comply with retention and reporting duties under applicable labor and tax regulations. Exercise of rights (LGPD Art. 7, VI) – to establish, exercise or defend legal claims in administrative, judicial, or arbitral proceedings. Legitimate interest (LGPD Art. 7, IX) be employed only where no contractual or legal obligation applies– to document and audit recruitment procedures, ensuring process integrity. |
Financial Information
| Processing Purposes | Lawful Basis for Processing |
| Bank account details | Legal obligation (LGPD Art. 7, item II) – to process payments and comply with tax, social security, and payroll obligations. This data is collected only after a formal employment offer is accepted. |
| Preferred salary expectations (not previous salary) | Legitimate interest (LGPD Art. 7, item IX) will be employed only where no contractual or legal obligation applies – to align compensation expectations with the role offered. Data is provided voluntarily by the candidate and is not used to determine salary based on prior compensation. |
| Governmental identification numbers (e.g., CPF, PIS, social security) | Legal obligation (LGPD Art. 7, item II) – to fulfill requirements under labor, tax, and regulatory laws. Collected only upon acceptance of employment offer and handled with enhanced access controls. |
Special Categories of Personal Data
- Racial or ethnic origin.
- Nationality
| Processing Purposes | Lawful Basis for Processing |
| Racial or ethnic origin, including nationality and visa information | Compliance with legal or regulatory obligations aimed at ensuring equal opportunity or treatment in the workplace (LGPD Art. 11, II, item ‘e’); Protection of rights under labor, anti-discrimination, and immigration law (LGPD Art. 11, II, item ‘a’, “c”, e “f”); Express and specific consent, if none of the legal bases apply (LGPD Art. 11, I). |
| Developing, operating, and collecting recruitment and employee selection process feedback. | Public interest (LGPD Art. 11, II, item ‘e’) – to ensure equal opportunity, fair treatment, and compliance with anti-discrimination laws; Express consent (LGPD Art. 11, I) – if no public/legal obligation applies and candidate is informed of purpose and limitations. |
| Retaining appropriate recruitment process records. | Compliance with legal obligations (LGPD Art. 11, II, item ‘a’) – e.g., equal employment audit requirements or immigration control; Exercise of rights in legal or administrative proceedings (LGPD Art. 11, II, item ‘c’); Express and separate consent (LGPD Art. 11, I) – when retention is not legally mandated but necessary for internal recordkeeping. |
Special Categories of Personal Data
- Health data from pre-employment medical assessments
- Criminal record and financial data from pre-employment checks
| Processing Purposes | Lawful Basis for Processing |
| Health data from pre-employment medical assessments, where relevant. | Compliance with legal or regulatory obligations in labor and occupational health contexts (LGPD Art. 11, II, item ‘a’); Protection of the candidate’s or others’ physical integrity (LGPD Art. 11, II, item ‘f’); Express and specific consent (LGPD Art. 11, I), where no legal obligation applies. |
| Criminal record and financial data from pre-employment checks, where relevant for the role.
|
Compliance with legal or regulatory obligations applicable to certain positions, especially involving trust, finance, or public interest (LGPD Art. 11, II, item ‘a’); Necessity to establish or defend rights in judicial or administrative proceedings (LGPD Art. 11, II, item ‘c’); Express and separate consent, limited to roles where such checks are strictly necessary (LGPD Art. 11, I). |
| Administering your application ancd considering your suitability for the role. | Express and specific consent (LGPD Art. 11, I) – if processing sensitive data is not strictly required by law. Compliance with legal or regulatory obligations, particularly related to diversity, equality, or public interest hiring programs (LGPD Art. 11, II, item ‘e’). |
| Making a job offer and entering into a contract of employment with you. | Compliance with labor, social security, and occupational health laws (LGPD Art. 11, II, item ‘a’). Protection of health or physical integrity of the candidate or third parties (LGPD Art. 11, II, item ‘f’). |
| Retaining appropriate recruitment process records. | Compliance with employment and regulatory obligations, including equal opportunity audits (LGPD Art. 11, II, item ‘a’). Protection of rights in judicial or administrative proceedings (LGPD Art. 11, II, item ‘c’). Express and separate consent, where applicable (LGPD Art. 11, I). |
Employment Administration Information
- Terms and conditions of employment.
- Your working preferences.
- Your preferences in relation to our use of your personal data.
| Processing Purposes | Lawful Basis for Processing | |
| Administering your application and considering your suitability for the role. | Pre-contractual measures (LGPD Art. 7, V) – to administer and correspond with candidates regarding their application and ensure proper staffing, provided that fundamental rights and freedoms are not overridden.
|
|
| Making a job offer and entering into a contract of employment with you. | Compliance with pre-contractual measures and legal obligations related to labor laws (LGPD Art. 7, V) Necessary for the performance of a contract (LGPD Art. 7, V). |
|
| Retaining appropriate recruitment process records. |
|
Travel and Expenses Information
- Visa, passport and insurance details.
- Flight and accommodation booking information.
- Travel itinerary information.
- Driving license [as part of the post-offer onboarding process].
| Processing Purposes | Lawful Basis for Processing |
| Administering travel and accommodation arrangements. | Compliance with pre-contractual measures or obligations related to employment onboarding (LGPD Art. 7, V). In cases where information reveals sensitive aspects (e.g., nationality/ethnicity via visa), express consent may be required (LGPD Art. 11, I). Legitimate interest (LGPD Art. 7, IX) will be employed only where no contractual or legal obligation applies – to ensure logistical feasibility of interviews and onboarding, provided such interest does not override candidates’ fundamental rights. |
Security and Access Control Data
- Personal data, including image, captured or recorded by electronic card access systems, CCTV, and other security control systems.
| Processing Purposes | Lawful Basis for Processing |
| Monitoring the security of Loram’s physical premises. | Legitimate interest (LGPD Art. 7, IX) – to ensure the safety and protection of Loram’s assets, infrastructure, and physical premises, provided that such processing does not override the rights and freedoms of the data subject. Compliance with legal or regulatory obligations, where applicable (LGPD Art. 7, II). |
| Operating, reviewing, and responding to CCTV surveillance of Loram’s premises, including monitoring footage if required. | Legitimate interest (LGPD Art. 7, IX) – to protect Loram’s premises, assets, and individuals, and to prevent unlawful acts or losses. |
| Retaining appropriate recruitment process records. | Compliance with legal obligations (LGPD Art. 7, II) or to exercise rights in legal or administrative proceedings. CCTV footage is retained for 30 days (art. 6 III LGPD) and disclosed only for security incidents or legal claims. Signage is posted at all monitored areas Legitimate interest (LGPD Art. 7, IX) will be employed only where no contractual or legal obligation applies – to ensure fair, efficient, and documented recruitment processes. |
The provision of certain personal data is necessary to enable Loram to carry out recruitment-related activities as described in this Privacy Notice. Failure to provide or authorize the processing of mandatory personal data may result in Loram being unable to assess your application, comply with legal obligations, or take the necessary steps prior to entering into a potential employment relationship. Where applicable, we will indicate which data is mandatory and the consequences of not providing such information, in accordance with applicable data protection laws, including the Brazilian General Data Protection Law (LGPD).
Collection and Use of Special Categories of Personal Data
The following categories of personal data are considered sensitive under applicable data protection laws, including the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados – LGPD), and are subject to enhanced protections:
a.Racial or ethnic origin;
b. Political opinions;
c. Religious or philosophical beliefs;
d. Trade union membership;
e. Genetic data;
f. Biometric data used for the purpose of uniquely identifying an individual;
g. Health data;
h. Data concerning a natural person’s sex life or sexual orientation;
i. Data relating to criminal convictions or offenses, where permitted by law.
Loram will only process sensitive personal data when strictly necessary, and where one of the legal bases permitted by applicable law applies, including but not limited to: (i) compliance with legal or regulatory obligations; (ii) the exercise of rights in judicial, administrative, or arbitral proceedings; (iii) the protection of life or physical safety; or (iv) with the data subject’s specific and informed consent, where required by law.
Where Loram has a legitimate and lawful need to process sensitive personal data for purposes not previously disclosed, we will inform you in advance, explain the legal basis, and obtain your explicit consent where required by applicable law.
Data Security
We will only disclose your personal data to third parties where permitted or required by applicable law, and where such disclosure is necessary to fulfill the purposes described in this Privacy Notice. This may include disclosures to our employees, contractors, designated agents, or third-party service providers who need access to the data in order to support our recruitment process.
We may engage third-party service providers for activities such as:
a. Employment verification and background checks;
b. Data storage and cloud hosting;
c. Recruitment system operation and applicant tracking services.
These service providers may be located in other jurisdictions, including outside your country of residence or the country of the position applied for. In such cases, cross-border transfers will be carried out in accordance with the requirements of applicable data protection laws, including Article 33 of the Brazilian LGPD, which requires the implementation of appropriate safeguards to ensure an adequate level of data protection.
All third-party service providers are contractually required to:
a. Process personal data only on our documented instructions;
b. Implement appropriate technical and organizational security measures aligned with our internal policies; and
c. Not use the data for their own purposes.
We may also disclose your personal data under the following circumstances, where such disclosure is permitted or required by law:
a. To other companies within the Loram group (including entities located in other jurisdictions) as necessary to manage the recruitment process in accordance with the purposes described herein;
b. To regulators, courts, law enforcement or public authorities to comply with legal obligations, judicial decisions, or administrative orders, provided that only the minimum data necessary will be disclosed;
c. To protect Loram’s legitimate interests, including security, rights, and property;
d. In emergency situations, to protect the life or physical safety of the data subject or a third party;
e. Where personal data is manifestly made public by the data subject, in accordance with applicable law;
f. In the context of a corporate transaction (e.g., merger, acquisition, or sale of assets), provided that the data is anonymized or the minimum amount required is shared, and safeguards are in place;
g. For additional purposes, subject to the specific, informed, and freely given consent of the data subject, when such consent is required by law.
Data Retention
Except where otherwise required or permitted by applicable law or regulation, we will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting obligations, or to defend against legal claims.
To determine the appropriate retention period for your personal data, we consider several factors, including:
a. The statutory and regulatory requirements applicable to our activities;
b. The nature, scope, and sensitivity of the personal data;
c. The risk of harm resulting from unauthorized use or disclosure;
d.The purposes for which we process your personal data and whether such purposes can be achieved by other means.
We maintain a Data Retention Policy that specifies the applicable retention periods for each category of personal data, in accordance with the principles established under the Brazilian General Data Protection Law (LGPD). You may request access to this policy by contacting us at murilo.martins@loram.com.
Once we no longer have a legal basis to retain your personal data, we will delete it, or, where deletion is not feasible, we will anonymize it in accordance with applicable law so that it can no longer be associated with you. We may use anonymized or de-identified data for legitimate business purposes, provided such use does not permit reidentification.
If you are offered and accept employment with Loram, the personal data collected during the recruitment process will be transferred to your employment file and processed in accordance with our internal employee data protection policies. If you do not become an employee, or once your employment with Loram ends, we will retain and securely dispose of your personal data in accordance with our internal retention policy and applicable data protection laws.
In certain circumstances, you may have the right to request the erasure of your personal data, as described under the section “Your Data Protection Rights.”
Rights of Access, Correction, Erasure, and Objection
It is important to us that the personal data we hold about you is accurate, complete, and up to date. Please keep us informed of any changes during the recruitment process so that we can update our records accordingly.
Under applicable data protection laws, including the Brazilian General Data Protection Law (LGPD), you may have the right to exercise the following rights in relation to your personal data, subject to legal and regulatory limitations:
a. Request access to your personal data and confirmation of whether we process your data;
b. Request the correction of inaccurate, incomplete, or outdated data;
c. Request the anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data;
d. Object to the processing of your personal data in cases where processing is based on legitimate interest; e. Request the portability of your personal data to another service provider or controller, where technically feasible;
e. Request the deletion of personal data processed with your consent, except where we are legally authorized or required to retain such data;
f. Be informed about public and private entities with which we share your data;
g. Be informed about the possibility of denying consent and the consequences of such denial, where applicable;
h. Revoke your consent at any time, where consent is the legal basis for processing.
To exercise any of your data protection rights, please contact us in writing at murilo.martins@loram.com. We may need to request specific information from you to confirm your identity and ensure the security of your personal data. We will respond to your request within the timeframe established by applicable law.
There may be circumstances where we are legally permitted or required to decline your request, such as when the data has already been deleted, anonymized, or must be retained for compliance with legal obligations. In such cases, we will inform you of the legal basis and reasoning for the refusal, subject to applicable legal and regulatory restrictions.
Right to Withdraw Consent
Where the processing of your personal data is based on your consent, you have the right to withdraw such consent at any time, without affecting the lawfulness of any processing carried out prior to the withdrawal. To exercise this right, please contact us in writing at murilo.martins@loram.com.
Upon receiving your request, we will cease processing your personal data for the purpose to which the consent applied, unless another legal basis permits or requires continued processing. We will confirm the receipt and implementation of your request within the timeframes established by applicable data protection laws, including the Brazilian General Data Protection Law (LGPD).
Withdrawal of consent will not affect the processing of personal data carried out on legal bases other than consent.
Data Protection Officer
We have appointed a Data Protection Officer (DPO), also referred to as the Data Protection Officer or Encarregado under the Brazilian General Data Protection Law (LGPD), who is responsible for overseeing our compliance with applicable data protection laws and this Privacy Notice.
If you have any questions, concerns, or requests related to the processing of your personal data, or if you wish to exercise any of your data protection rights, you may contact our Data Protection Officer at: murilo.martins@loram.com.
If you are not satisfied with our response to your inquiries, you may have the right to file a complaint with the relevant data protection authority in your jurisdiction, including the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD), if applicable.
Changes to This Privacy Notice
We reserve the right to update or modify this Privacy Notice at any time, to reflect changes in our practices, applicable laws, or regulatory requirements. When we make material changes to this Privacy Notice, we will provide you with an updated version and, where required by law, obtain your consent before continuing to process your personal data under the new terms.
If we intend to process your previously collected personal data for purposes that are materially different from those originally disclosed, we will notify you in advance and, when legally required, seek your explicit, informed, and freely given consent before such processing occurs.
We may process your personal data without your knowledge or consent only where such processing is necessary to comply with a legal or regulatory obligation under applicable law.
