tl/dr: This company has no idea what they are doing. If you want to protect your data, the only option is to refuse to do business with them.
Privacy and HTTP
The first question is whether or not it is possible to communicate privately over HTTP. The answer is generally a solid "NO!". HTTP is a plain text protocol, which means that every server in between your machine and the destination server has an opportunity to read, log, and do whatever it wants with any data transmitted over HTTP. This is not a theoretical problem - there can easily be dozens of servers and switches between you and the destination.
Now technically it is possible for a website to perform its own encryption before transmitting data over HTTP, thus providing privacy anyway. In practice though it is safe to assume that this is not happening. The reason is because doing this (and more importantly, doing it well) is quite difficult. Using an SSL certificate over HTTPS is a much simpler, quicker, and cheaper way of providing privacy over the internet. It would be absolutely crazy to forgo HTTPS and instead attempt your own encryption over HTTP, especially since there are large parts of the HTTP request that you still wouldn't be able to encrypt anyway. It wouldn't be a private solution even if you tried.
HTTPS
So to reiterate, HTTPS is the simplest and most effective way to communicate privately over the internet. Especially since the advent of Let's Encrypt, it's also incredibly easy to implement and free. There is literally no good reason for a website operator to skip HTTPS on any website that collects sensitive data. It's really as simple as that.
The company response
So what about this company? They don't have HTTPS. They are transmitting your data over HTTP. I can guarantee you that they aren't trying to encrypt it otherwise, and that really wouldn't work well even if they tried. That means that your private data is being sent across the internet for everyone to see. However, they say:
appropriate security measures have been provided to guarantee the
personal data security
Quite simply, this is complete B.S. All this means is that they believe that their security measures are appropriate. The lack of HTTPS conclusively demonstrates otherwise. They dig the hole further on the next line:
we will provide [an SSL certificate] as soon as possible.
As we've already discussed, SSL certificates are free and easy to install. "As soon as possible" happened literally 4 years ago. This is nothing but an excuse for incompetence, which leaves your data at risk.
Finally you ask:
is there a way that I can package and send the data to them securely
by alternative means
Unfortunately you are asking the wrong question. Imagine that you do come up with some way to securely send them data. When a company has failed so completely with the basics of data security, can you really expect them to store and use your data in a secure and private manner?
You should simply assume that whatever information you send to them, regardless of how it gets there, will eventually be leaked publicly. Because it probably will.
Next steps?
In the end you have to decide which you care about more: the possibility of getting a job from them or the possibility of having your private data leaked. Only you can make that call.
They mentioned GDPR, so presumably they are in a region where the GDPR is in force. Presumably they are violating GDPR, despite their claims otherwise. This suggests that an obvious next step is to file a complaint with the proper government organization. I'm in the USA so I have no idea what that entails (and it is more of a legal matter anyway, so not really on-topic here). Regardless, that is unlikely to make change happen on a timescale you need it to happen, so once again you will have to decide between using them and risking your data, or ignoring them and risking the loss of a job opportunity.
