EMPLOYEE & APPLICANT  

PRIVACY POLICY

Table of Contents

  1. Terms We Use In This Policy
  2. Compliance With Local Laws
  3. What Personal Information Do We Collect and How Do We Collect It?
  4. What Do We Use Personal Information For?
  5. Your Health Information
  6.  Monitoring
  7. With Whom Do We Share Your Personal Information?
  8. International Operations and Transfers Out of Your Home Jurisdiction
  9. How Do We Secure Your Personal Information?
  10. How Do You Update Your Personal Information?
  11. How Can Your Request Access to Your Personal Information?
  12. What Other Rights Do You Have Over Your Personal Information?
  13. How Long Do We Retain Your Personal Information?
  14. EU, EEA, and UK Privacy Disclosures
    14.1 Data Controller
    14.2 Representatives
    14.3 Your Rights
    14.4 Lawful Basis for Processing Your Information
  15. Contact Use
  16. Revisions to This Privacy Policy

Last Updated: August 24, 2023 

This privacy policy is intended for employees and recruits who apply to work at Virgin Galactic. Our goal is to describe how we collect and use your personal information from the time you apply to work with us throughout your entire journey here at Virgin Galactic.  

Also, please refer to our Virgin Galactic Employee Handbook (as applicable) and our online privacy ​​​​policy https://www.virgingalactic.com/privacy-policy, which are incorporated into this policy.

1. Terms We Use In This Policy


For purposes of this policy: 
​​​​​​​

  • The words “our,” “us,” “we,” and “Virgin Galactic” refer to Virgin Galactic Holdings, Virgin Galactic LLC, Virgin Galactic Ltd., and any other subsidiaries and other affiliates (which includes any person or entity that controls us, is controlled by us, or is under common control with us, such as our subsidiary, parent company, or our employees). 


  • The term “employee” refers to all employees, directors, officers, and board members of Virgin Galactic. For the purposes of this privacy policy only, it also refers to other volunteers, and interns engaged by Virgin Galactic, even though they are not employees under applicable employment laws. 


  • The term “applicant” refers to individuals who are job candidates or who have submitted information to Virgin Galactic (such as a resume or job application) to apply to be a Virgin Galactic employee or an intern or who have subscribed to our Job Alert notifications. 


  • The term “personal information”, and except where a different definition is noted or provided by applicable law, we mean means any information relating to an identified or identifiable natural person an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, or as how personal information is defined in any privacy law in the jurisdiction where you live. Personal information does not include information that is not covered by applicable privacy laws, including that which cannot be reasonably linked to you, (de-identified or aggregated data) or publicly available information.  Personal information includes personal data as defined under applicable data privacy laws. 

    When we use the term “special information,” we mean personal information as defined under applicable laws revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, Biometric Information for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. For clarity, personal information includes special information. 


  • “Biometric Information” means  any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual which include  fingerprints, face structure, hand, palm, voice print, facial images, imagery of the iris, retina, vein patterns, keystroke patterns or rhythms, gait patterns or rhythms, DNA or dactyloscopy data or any personal information resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allows or confirms the unique identification of that natural person. 


  • The words “you”, “your”, “yours” refer to employees and applicants. 

2. Compliance With Local Laws 

​​​​​​​

This privacy policy describes some of the ways in which how Virgin Galactic treats employee and applicant personal information. 

You should be aware that data privacy laws can vary in different jurisdictions where Virgin Galactic operates and has employees. Virgin Galactic’s policy is to comply with applicable local laws, including requirements in certain countries that Virgin Galactic notify its employees in that country of its personal information practices, and in some cases, obtain consent to those practices. 

Where local laws are stricter than the policies described in this policy, Virgin Galactic has adopted specific privacy practices in those locations to satisfy those stricter requirements. Where local laws are less strict than this policy, the protections described in this policy will apply. 

3. What Personal Information Do We Collect and How Do We Collect It? 


Virgin Galactic collects and stores different categories of personal information about employees and applicants, including without limitation: 


Applicants’ Personal Information Categories We Collect 
​​​​​​​
  • Identifiers and Contact information such as your names, contact email, phone numbers 

  • Professional career and Educational Information, such as C.V., cover letters, referrals, and background check information and reports 

  • Photos, Audio recordings, and Videos such as these related to your application, interviews, or visits to our facilities at Virgin Galactic and from our surveillance cameras when you come to our buildings 

  • Special Information such as:  

  • Possibly criminal convictions due to background checks and/or drug screenings  

  • Health information such as Covid screening questions, health checks, fit for duty checks, drug screenings  

  • Maybe religion for Covid exemption  

  • Demographic data as describe below 

  • Communications information such as emails, video calls, phone calls, instant messages 

  • Preferences and interests 

  • Additional information as otherwise described to you at the point of collection or pursuant to your consent if allowed 

  • Any other information you choose to provide directly to us in connection with your application for employment with us 


Employees’ Personal Information Categories We Collect 

Applicants’ information listed above, and additional information such as: 

  • Employment-related Information and Records such as work title and work location, “onboarding” and “off-boarding” documents and information, training information, performance evaluations, payrolls, and related information, information related to benefits and retirement plans, requests and claims 

  • Financial information for example, for payroll payments, benefits, and tax purposes 

  • Photos, Audio recordings, and Videos such as these related to your work and experience at Virgin Galactic  

  • Other Persons’ Information such as emergency contact information, partner or relatives or other person’s personal information, including data about children as part of the benefits management  

  • IT/Technical Information such as user’s account information, technical logs, online browsing information, and monitoring-related information as described further below in this Policy 

  • Comments, surveys, interviews, recognitions, opinions, analytics 

  • Special Information such as: 

    • Biometric Information, including, for certain employees, fingerprints if they chose to use fingerprints to access certain company devices. 
    • Health information such as leave of absence, accidents or injuries in the workplace, information related to our Health, environment, and safety obligations 
    • IP geolocation on our networks and devices 


We may collect certain demographic data that qualifies as special information, such as race, ethnicity, sexual orientation, veteran status, and disability, to help us understand the diversity of our workforce as allowed under local law. We also collect this information from you as part of our reporting requirements under various local laws (for example, when you apply for a job and provide your demographic information to us). This information, when collected, is generally done so on a voluntary consensual basis, and employee and applicants are not required to provide this information, unless it is necessary for us to collect such information to comply with our legal obligations. 

Most often, the personal information we collect from employees and applicants is collected from them directly. In some cases, we collect personal information about employees and applicants from third parties, for example, when we perform background checks that are necessary for the role to be performed by the employee. In most circumstances, we will get your permission before we collect personal information about you from a third party. 

If we ask you to provide any other personal information not described above, then the personal information we will ask you to provide and the reasons why we ask you to provide it, will be stated to you at the time we collect it. 

4. What Do We Use Personal Information For? 


Virgin Galactic uses and discloses the personal information that we collect primarily for the purposes of managing talent acquisitions and our employment relationship with you, along with other business purposes. Such uses include: 

  • Talent acquisition and recruitment management including for example determining eligibility for hiring, the verification of your job application, your references, and qualifications and, where permitted by law, administering background checks and drug screenings 

  • To send you job alert notifications and communications of new job positions 

  • ‘Onboarding’ new employees and management of employee’s termination, resignation, or dismissal  

  • Pay determination and compensation program, administering payroll, benefits and time-off as well as processing employee work-related claims (e.g., worker compensation, insurance claims, etc.) and leave of absence requests 

  • Organizational development and training, surveys, analytics and planning, business partner projects management 

  • Providing services to you, such as expense reporting tools, benefits programs, on-line learnings, communication channels, or access to the Virgin Family Platform, a global digital employee experience and collaboration platform within Virgin group 

  • Work performance management, including performance evaluations, performance improvement plan and promotions, rewards, and recognition program 

  • Disciplinary actions or termination, responses to data access management and legal requests  

  • Establishing emergency contacts and communicating in case of urgency or emergencies 

  • Compiling internal directories, such as employee directories 

  • IT, communications and assets security and management 

  • Environmental Health and Safety management, emergency responses, quality management 

  • Operating our business activities and other legitimate purposes reasonably required for day-to-day operations, such as accounting, finance and taxes, business planning, engineering, manufacturing, procurement 

  • To comply with our website/app Terms & Conditions of Use, Privacy Policy, Employee Handbook, and other company policies, procedures, and agreements 

  • Communications with you and social media interactions 

  • To fulfill the contract we have with you 

  • To comply with any applicable laws and regulations (e.g., labor and employment laws, health and safety, tax, anti-discrimination laws, U.S. trade laws and regulations), and respond to lawful requests, including for potential or ongoing litigation or inquiries, the pursuit of potential claims, to defend legal claims 

  • Detection or prevention of any inappropriate behavior or violation of Virgin Galactic policies, procedures, rules, including the protection of our intellectual property, data security, and privacy measures, detect and prevent fraud or other types of wrongdoing, disciplinary measures, confidential information, and other tangible and intangible property 

  • For any other purposes disclosed to you at the time we collect your information and/or pursuant to your consent 
    ​​​​​​​

Where required, we collect the above information with your consent, and as necessary for performance of your employee contract, as required by law, and in our legitimate interest which we believe outweighs the general privacy rights of employees.  

While employed with Virgin Galactic , Virgin Galactic may provide you with company devices and equipment and access to storage units or services that may allow for the use of biometric technologies for the convenience of unlocking the devices using your Biometric Information . If you chose and with your express consent, which all consents employees are required to review, your Biometric Information may be used to authenticate you on our company equipment and devices, as well as access to our storage units or services.  More information can be found in the Virgin Galactic Biometrics Notice and Consent Form.  

5. Your Health Information 


Virgin Galactic uses your health information for the purposes described above and for preventing and mitigating any outbreak.  


​​​​​​​In specific cases, for example, you may be employed as part of one of our spaceflight crew or could participate in Virgin Galactic programs that require us to assess your health and wellness for safety purposes before permitting you to take place in any flight or program. In such cases, we will treat your health information as both a special category of personal data and protected health information. More information about how we use and protect protected health information is available in the Virgin Galactic Health Record Privacy Notice. 

6. Monitoring 


Virgin Galactic physically and electronically monitors its offices, buildings, equipment, products and services and the use of our IT and communications systems for security-related purposes and for U.S. trade laws and regulations compliance. 


For example, we may monitor employees’ and applicants’ activity and presence in our offices and buildings with badge readers, sign-in sheets, time clock in/out machines, and surveillance cameras. We generally do these things to prevent unauthorized access to our offices and to protect employees, authorized visitors, and our property, and control presence on-site. 


Virgin Galactic may also monitor or record employee activity on our IT and communications systems and network, such as internet traffic, website filtering, email, text messages, IP geolocation and instant communications or systems accessed. More information on electronic monitoring is in the Virgin Galactic Employee Handbook and in the Virgin Galactic Information Technology Policy. 


Where permitted by law, we may also carry out monitoring for other purposes, such as: 
​​​​​​​

  • Payroll management 

  • Proof of business transactions and archiving 

  • Training and evaluation of employees 

  • Protection of confidential information, intellectual property, and other business interests 

  • To prevent or investigate breaches of Virgin Galactic policies and procedures, or other unlawful or improper acts 

  • For compliance with a legal obligation 

  • Other legitimate purposes as permitted by applicable law. 

In the process of monitoring Virgin Galactic’s offices, buildings, furnishings, equipment, products, services, systems, network, and work-related activities, we may come across employees’ or applicants’ personal information. While at work or working on Virgin Galactic’s equipment and network, employees should have no expectation of privacy, except as otherwise provided by the law applicable to you or as otherwise provided to you in writing. Monitoring will be done in a manner that is proportionate and only as required or permitted by applicable law.  


Lastly, we want you to be aware that all Virgin Galactic employee work product as well as tools used to generate that work product, workstations, furnishing, equipment, products, and services wherever stored, belongs to Virgin Galactic, and we may review and monitor them for the purposes described above. 

7. With Whom Do We Share Your Personal Information? 


We may share your personal information or the personal information of your family or dependents with other employees, other Virgin Galactic group companies, contractors, consultants, auditors, and service providers. 


Ways inwhich we may share your personal information are as follows:  
​​​​​​​

  • Third-Party Service Providers. We may share your information with third-party service providers or data processors that perform certain functions or services on our behalf (such as storing, collecting, processing, or managing the data, IT services, performing analyses, processing credit card payments, providing employee services and products, payroll support services and employee travel management services, providing benefits, health plans, health analysis, manage or terminate your employment with Virgin Galactic, or send communications for us). These third-party service providers will process this data only for purposes specified by us and will be bound by contract to meet our obligations under applicable law. 


  • Disclosure of Information for Legal and Administrative Reasons. We may disclose your information without notice: (i) when required by law or to comply with a court order, subpoena, search warrant, or other legal processes; (ii) to cooperate or undertake an internal or external investigation or audit; (iii) to comply with legal, regulatory or administrative requirements of governmental authorities (including, without limitation, requests from the governmental agency authorities to view your Information); (iv) to protect and defend the rights, property or safety of us, our subsidiaries and affiliates and any of their officers, directors, employees, attorneys, agents, contractors and partners, and employees and users; (v) to enforce or apply our policies and procedures; and (vi) to verify the identity of users or employees. 


  • Information Shared with our Affiliates. We may share your information with our subsidiaries and affiliates for the only purposes described in this policy. Or if we go through a corporate sale, merger, reorganization, dissolution, or similar event.  


  • Information Shared with Virgin companies within the Virgin Group. With your consent, we will share your personal information with our partner Virgin Management Limited within the Virgin Group to provide you access to the Virgin Family Platform, a global digital employee experience and collaboration platform within the Virgin Group offered for employees only. The Virgin Family Platform also provides to Virgin Galactic a number of channels for brand promotion, access to new customers from the wider Virgin family and better visibility of activity happening across the Virgin Group. You may opt-out (unsubscribe) at your discretion at any time . 


  • Online Communications. If you correspond with us by email, text messages, questionnaires, surveys, social media, or other digital online platforms, we may retain such correspondence and the information contained in it and use it to respond to your inquiry. 


  • Safety and Security.  We may share information to protect the safety and security of our employees, contractors, users, and customers, to prevent fraud, abuse, or unauthorized activities, to prevent and mitigate outbreaks, to protect the rights of property of us, third parties, you, or others, including enforcing the terms of our agreements. 


  • Aggregate Data. We may share general information, aggregated data, or publish information based on aggregated data. Your personal information may be shared if it is made anonymous and aggregated, as in such circumstances the information will cease to be personal information. We may aggregate the information that we collect about you and other individuals by removing any personal information that directly identifies a user and by combining this information. This aggregated information may be used for marketing, research, and the development of and contribution to spaceflights knowledge, and financial or operational analysis and planning, and it may be shared with third parties, including business partners and group companies to, for example, carry out analyses and to enhance and improve the quality and delivery of our products and services. 


  • With Your Consent. We may share information consistent with this privacy policy with your consent.  

8. International Operations and Transfers Out of Your Home Jurisdiction 

​​​​​​​

Virgin Galactic operates in the United States and the United Kingdom. As part of our regular operations your data will be transferred to and processed in the United States, which has different and less restrictive privacy laws than that in many non-US countries. Your personal information may be transferred to and processed in any country where we have offices and buildings or in which we engage service providers.  


Thus, we transfer your personal information to third parties as described in this Privacy Policy; some of these parties may be located in countries other than your own, whose privacy and data protection laws may not be equivalent to those in your country of residence.  


When we transfer your personal information to other countries, we apply appropriate safeguards to protect your information and comply with applicable laws.  For example, we implement measures such as standard data protection contractual clauses so that any transferred personal information remains protected and secure. For example, if we transfer personal information subject to privacy laws outside of the US, we will use transfer mechanisms, e.g., Standard Contractual Clauses approved by the European Commission in accordance with Article 46(2)(c) of the General Data Protection Regulation, e.g., the international data transfer agreement approved by the UK Information Commissioner's Office in accordance with the UK GDPR. We will only transfer data to jurisdictions outside the scope of the UK and European Economic Area where the appropriate safeguards set out in applicable data protection law are in place. If you would like to obtain copies of the regulator-approved Standard Contractual Clauses, please Contact Us

9. How Do We Secure Your Personal Information? 

​​​​​​​

We use appropriate technical and organizational security measures to protect the security of your personal information both online and offline including the implementation of access controls, implementation of firewalls, network intrusion detection, and use of anti-virus software. No system is completely secure. Therefore, although we believe the measures implemented by us reduce the likelihood of security problems to a level appropriate to the type of data involved, we do not promise or guarantee, and you should not expect, that your information or private communications will always remain private or secure. We do not guarantee that your information will not be misused by third parties.   


We encourage you to use our secure mechanisms of file sharing and information sharing when you communicate with us.  

10. How Do You Update Your Personal Information? 


It is important that the information contained in our records is both accurate and current. We offer various self-help tools that will allow you to update certain of your personal information in our records.  
​​​​​​​

If your personal information changes during your employment, please use these self-help tools to update that data, where available, or let the People Team know of those changes. 

11. How Can You Request Access to Your Personal Information? 

​​​​​​​

As employees and applicants, you can see some of your personal information by login into your online personal accounts opened on our career website and in our employee applications.  

You can also make a request in writing to the Privacy Team at Contact Us. We may ask you for information to verify your identity and evaluate your right to access the personal information requested. You can also ask that we delete personal information that you believe is inaccurate or no longer relevant in this same way.  

Of course, we might need to refuse access to, or deletion of, personal information in certain cases, such as when providing access might infringe on someone else’s privacy rights or impact our legal obligations or as otherwise stated by the applicable law. 

12. What Other Rights Do You Have Over Your Personal Information? 


Depending on the state or country where you live, you may also have other data protection rights. These rights may include the right to access and correct.
​​​​​​​  

Depending on the state or country where you live, you may also have certain rights concerning how you consent to communications by us and the right to lodge a complaint with your Data Protection Authority. 

13. How Long Do We Retain Your Personal Information? 

​​​​​​​

We will retain your personal information as required by law, as necessary to perform your job application, for the duration of your employment until the applicable laws require us to retain your personal information for a legally prescribed period, or with your consent as long as you have subscribed to our job alert notifications or agreed to be contacted by us, and for other business reasons as stated in this policy.  


We will also retain and use your personal information as necessary to comply with our legal obligations, including any applicable rules on statute of limitations, any relevant litigation, or regulatory investigations, to enable us to defend or bring potential legal claims, resolve disputes, enforce our agreements, and in accordance with our routine record keeping that considers the duration of your application and employment. We are under no obligation to store such information indefinitely. 

14. EU, EEA, and UK Privacy Disclosures  


This section applies only to individuals resident of the European Union (“EU”), European Economic Area (“EEA”), and the United Kingdom (“UK”) and only if we collect any personal data as defined in any applicable laws for those countries (“European Laws”) (which may include some or all of your personal information as defined in this policy).  


14.1 Data Controller  

Unless otherwise stated at the time of collection, Virgin Galactic LLC is the data controller for the personal information we process for persons in the EU, EAA, and UK.   

14.2 Representatives 

The data controller’s representatives in the UK and in the EU are: 


In the UK:  

  • Osano UK Compliance LTD  
  • ATTN: IIXR  
  • 42-46 Fountain Street  
  • Belfast   
  • Antrim   
  • BT1 – 5EF  
  • In the EU:  
  • Osano International Compliance Services Limited  
  • ATTN: IIXR  
  • 3 Dublin Landings  
  • North Wall Quay  
  • Dublin 1 
  • D01C4E0 

14.3 Your Rights  

To the extent the European Laws apply to you and our processing activities, and we hold such personal data in our capacity as a data controller as defined under those laws, you may request that we honor any rights provided to you under the European Laws, which may include the right to:  

  

  • Access: Request access to your personal information and obtain a copy and certain other information about it.  

  • Correction: Request that any incomplete or inaccurate information we hold about you is corrected.  

  • Erasure: Ask us to delete or remove personal information in certain circumstances. There are also certain exceptions where we may refuse a request for erasure (e.g., where the Personal Information is required for compliance with law or in connection with claims).  

  • Restriction: Ask us to suspend the processing of certain of your personal information about you (e.g., if you want us to establish its accuracy or the reason for processing it).  

  • Transfer and portability: Request the transfer and portability of certain of your personal information to another party.        

  • Objection: In addition, where we are processing your personal information based on our legitimate interests (or those of a third party) you may challenge this, e.g., revoking your consent for processing personal data. We will consider your request in accordance with applicable data protection and privacy laws. However, we may be entitled to continue processing your personal information based on our legitimate interests or where this is relevant to legal claims we may make or are made against us. You also have the right to object where we are processing your personal information for direct marketing purposes on the basis of consent.  

  • Automated decisions: Contest any automated decision made about you where this has a legal or similar significant effect and ask for it to be reconsidered.  

  • Communications: Opt-out of certain communications.  


To exercise any rights provided under European Laws, please Contact Us.   

  

You also have a right to lodge a complaint with a supervisory authority, in particular in the Member State in the EU where you are habitually resident where we are based or where an alleged infringement of European Law has taken place. You may view a list of supervisory authorities here:  https://edpb.europa.eu/about-edpb/about-edpb/members_en     

In the UK you can make a complaint to the Information Commissioner's Office (Tel: 0303 123 1113 or at https://ico.org.uk/global/contact-us/).   


If you have a complaint, we would appreciate the chance to deal with your concerns first, Contact Us.  

14.4 Lawful Basis for Processing Your Information 

We believe the handling of your personal information, which may include your personal data as defined under European Laws, furthers our legitimate interests in our activities that are not overridden by the interest or fundamental rights and freedoms of the individuals at issue. Depending on what personal information we collect from you and how we collect it, we rely on various grounds for processing your personal data, including the following reasons:  

  

  • Because you have provided your consent for us to do so. 

  • To administer our contractual relationship, including talent acquisition services and job application services you may request. 

  • Because it is in our legitimate interest to manage our communications and relationships with you as an applicant or an employee. 

  • To fulfill any legal obligations.  


If the processing of your personal information is based on your consent, the European Laws also allow the right to access, revoke or modify your consent at any time. To review or modify your consents, please Contact Us.  

15. Contact Us 


If you have any questions or concerns about this policy or your personal information, you can contact the Privacy Team using one of the following ways: 


Phone:                  +1 949 774 7640  

E-mail:                  privacy@virgingalactic.com

Post Mail:             Virgin Galactic, Attn: Privacy Team, 1700 Flight Way, Tustin, CA 92782, USA  


To submit us a Data Subject Access Request, please contact us by using this online DSAR Form.

  

Please note, if you submit to us a Data Subject Access Request, once we receive your request, we may verify it by requesting information sufficient to confirm your identity. If you would like to use an authorized agent to exercise your rights, we may request evidence that you have provided such agent with power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf.   

  

We reserve the right to deny Data Subject Access Requests as allowed by applicable law, such as where we have a reasonable belief that the request is fraudulent or where your identity cannot be confirmed or where we must retain your information consistent with applicable law. You can, however, appeal those requests that we deny. We will not discriminate against you for exercising your rights and choices, although some of the functionality and features available to you may change or no longer be available to you.  

  

To the extent permitted by applicable law, we may charge a reasonable fee to comply with your Data Subject Access Request. This statement is available in alternative formats upon request by contacting us. ​​​​​​​

16. REVISIONS TO THIS PRIVACY POLICY 


We may, from time to time, make updates or changes to this privacy policy because of changes in applicable laws or regulations or because of changes in our personal information practices. We will provide you notice of any material changes that impact your personal information, and where consent is necessary to make a change apply to our practices with respect to your personal information, we will not apply the changes to your personal information until we have that consent.