INFORMATION ON THE PROCESSING OF PERSONAL DATA FOR RECRUITMENT
- A. Data Controller
The Data Controller is the person who determines the purposes for which and the Means of processing personal data (the “Data Controller”) and is identified in SABO S.p.A.
The Data Controller may be contacted by e-mail at the following address Via Caravaggi, Levate (BG) – postal code 24040 or at the following e-mail address: firstname.lastname@example.org
- B. Categories of personal data
The Data Controller may, as an example but not limited to, collect the following categories of personal data from you in response to a specific advertisement or in case of voluntary application and/or from third parties that the Data Controller refers to for selection procedures:
- Identifying data, such as name, surname, date of birth, address, e-mail address and telephone contacts, educational qualifications, work experience and any other data you may have entered in your curriculum vitae and/or provided during the interview.
- Special/sensitive data, if special categories of data are indicated in your curriculum vitae pursuant to art. 9 of the GDPR (“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data aimed at uniquely identifying a natural person, data relating to a person’s health or sexual life or sexual orientation“) will not be taken into consideration, with the exception of those that determine that the candidate belongs to a protected category.
- C. Purposes and legal basis of the processing
Your personal data are processed and used for the following purposes:
- Candidate search and selection: your data will be processed in order to follow up the recruitment procedures and/or your request and, more precisely, to verify the conditions for recruitment and/or the start of a collaboration.
Legal basis: execution of pre-contractual measures adopted at your request pursuant to art. 6 par. 1 letter b) of the GDPR; freely expressed explicit consent pursuant to art. 9 par. 2 letter a) of the GDPR, with reference to the processing of special categories of personal data concerning you.
Data retention policy: your data will be stored for the next twenty-four months starting from the moment of acquisition of your curriculum vitae in order to evaluate your profile during future and possible selection procedures.
- Exercise and/or defence of a right: your data may also be processed to verify, exercise or defend a right of the Data Controller in the judicial phase.
Legal basis: legitimate interest of the Data Controller consisting in defending one’s own right or making some claim deriving from the selection procedure, unless your interests or fundamental rights prevail (art. 6 par. 1 letter f of the GDPR).
Data storage policy: your data will be stored for the period of time necessary to allow the Data Controller to act or defend itself against any claims made against you or third parties.
- D. Nature of the contribution
The provision of data is optional and it is subject to the candidate’s intention to submit his/her curriculum vitae. The Company reserves the right to collect additional information directly from you during the interview and to integrate such information with an aptitude assessment. Failure to provide such information will make it impossible to proceed with the verification of the conditions for recruitment and/or for the start of collaboration and, therefore, the possible establishment of a relationship with the Data Controller.
- E. Data processing methods
Processing will be carried out by the Company in compliance with the security measures under art. 32 of the GDPR, through manual, information system and computerised tools specifically designed to store, manage and transmit data to pursue only the purposes for which the data were collected and, in any case, to guarantee their security and confidentiality, as well as in full compliance with the principles of fairness, lawfulness and transparency.
- F. Data communication
The data may be disclosed to employees and collaborators of the Company who may process your data in compliance with the instructions given by the Company by operating in the company areas interested in your application as authorised persons. Your personal data may also be processed by third parties identified and appointed pursuant to art. 28 of Reg. 679/2016, for any administrative procedures in case of recruitment and for the fulfilment of legal obligations.
- G. Data transfer to a third country or an international organization
Personal data are processed within the European Union and stored on servers located there. In any case, it is understood that the Data Controller, if necessary, will have the right to transmit such data to a third country or an international organisation and/or move the servers even outside the EU. In this case, the Data Controller assures from now on that the transfer of non-EU data will take place in compliance with the applicable legal provisions, as per art. 44 and following of the GDPR.
- H. Data subject’s rights
The Company informs you, finally, that pursuant to current legislation on the protection of personal data, you may at any time exercise specific rights – pursuant to Articles 15-22 of the GDPR – and in particular you may ask the Data Controller to do so:
- Access to your personal data and information, i.e. the possibility to get from the Data Controller the confirmation that the processing of personal data is in progress and in this case get access to own personal data;
- Rectification of incorrect personal data, as well as the integration of the incomplete data (with an integrative statement);
- The deletion of your personal data if (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ii) you withdraw consent on which the processing is based and there is no other legal ground for the processing; (iii) the personal data have been unlawfully processed; (iv) the personal data have to be erased in compliance with a legal obligation under EU or Member State law to which the controller is subject; (v) the Data Subject opposes the Processing and there is no prevailing legitimate reason to proceed with the Processing, or when the Data Subject opposes the Processing in the cases provided for by Article 21, paragraph 2, of GDPR (personal data processed for direct marketing purposes).
- Right to limitation of processing where the accuracy of personal data is contested (for the period necessary for the Data Controller to verify the accuracy of such personal data) or the processing is unlawful and/or the interested has opposed the Treatment asking for its limitation;
- Right to data portability like right to receive from the Data Controller personal data in a structured format, commonly used and readable by an automatic device and to transmit such data to another Data Controller, only for cases where the treatment is based on consent and only for data whose treatment is carried out by automated means;
- Right to object without prejudice to the right of the Data Controller to demonstrate the existence of legitimate reasons for proceeding with the Treatment anyway;
- Withdrawal of consent at any time, if the treatment is based on your explicit consent, without negative effects on the lawfulness of the treatments carried out until the exercise of the revocation;
- Right to lodge a complaint with a supervisory Authority of the Member State in which you reside or habitually work or the state in which the alleged violation occurred without prejudice to any other administrative or judicial appeal, in case of violation of the aforementioned regulation.
If you need further information on the processing of your personal data and to exercise the above mentioned rights, you can send a written request using the contacts provided in the ‘Data Controller’ section of this statement. If you request more information about your data, the Data Controller shall respond promptly – unless it is impossible or involves a manifestly disproportionate effort compared with the right to be protected – and in any case no later than thirty days from the request. The Data Controller will justify any inability or delay in doing so to meet the request.