CANDIDATE INFORMATION NOTICE
INFORMATION NOTICE CONCERNING PROTECTION OF PERSONAL DATA PURSUANT TO ART. 12 and following EU REGULATION 679/2016
Pursuant to the new Regulation 679/2016 (or the “GDPR”), in accordance with the accountability principle, any processing of personal data shall be lawful, fair and transparent. According to said principles, the data subject shall be informed of the existence of the same, the purposes thereof and the rights he/she can exercise.
We are, therefore, pleased to describe, with this information notice, the methods with which Pitti Immagine S.r.l. will process personal data contained in the curricula that are sent to the Company by candidates who are interested in establishing a working relationship or another form of professional collaboration with Pitti Immagine.
Please note that sending this information on how we process the personal data that you provide us, does not imply any commitment to or initiation of an assessment process for potential employment of any kind whatsoever. We will keep the CVs that are sent to us for our own reference for the time that we will indicate below. Any future communication to initiate an assessment for potential employment will be the subject of a separate letter or communication.
Processing is carried out in full compliance with current privacy legislation. Hence, we will not process any data that are not necessary for the candidate assessment/selection activities or to achieve one of the other purposes specified below.
Selection activities will also taken into consideration the particular tasks and/or specificities of the required professional profiles.
In some cases, in addition to so-called “common” personal data (such as identifying details), we may receive certain data belonging to special categories (pursuant to art. 9 of the GDPR), such as health-related data.Pitti Immagine S.r.l. will use these data only if their collection is justified by one of the purposes specified in this information notice and if the data are, in any case, necessary for an employment/collaboration relationship to be established. We therefore recommend that this notice be read carefully and we are available for any further information or clarification regarding the protection of your personal data.
CONTROLLER - CONTACT DETAILS
PITTI IMMAGINE S.r.l. with offices in Via Faenza, 111 – Florence, Italy.
For any communication regarding privacy, and specifically regarding exercising any of the rights described below, the Controller (in terms of processing personal data) has created the following email address: email@example.com.
The source of the data
Personal data collected are those data given by the candidate (or the data subject) on his/her CV which has been sent through one of the communication channels made available by the Controller.
The nature of the data
Processing normally concerns personal data of a common nature and a series of other information belonging to the data subject’s professional and personal background.
Any processing of data belonging to a special category (as per art. 9 of the GDPR), such as data concerning the data subject’s health, is done only if the data which are communicated to us by the data subject are pertinent and necessary to achieve one of the specific purposes for which processing is carried out.
The purpose of the processing
1) Personal data collected will be used to process the application for employment or another form of professional collaboration, and specifically to carry out all the internal checks needed to assess the data subject’s profile with the aim of potentially establishing an employment and/or collaborative relationship as well as to communicate with the data subject during the processing period.
2) Personal data may also be processed to fulfil or to require the fulfilment of specific legal obligations or to carry out specific tasks required by law or by collective agreements, including corporate ones, with the aim of establishing an employment relationship, including the recognition of special terms or benefits required by law, or to fulfil other specific commitments relating to protecting safety, health and hygiene at work in compliance with trade union legislation, social security and welfare regulations, or as provided for by tax legislation;
3) Data may also be processed in the Controller’s, or a third party’s, pursuit of its legitimate interests, specifically:
_ to correctly fulfil commitments arising from insurance contracts aimed at covering risks connected to employer liability regarding health and safety at work and occupational illnesses or for damage to third parties in carrying out work or professional activities;
_ to protect, when necessary - in a court of law or any other equivalent setting - the Controller’s, or a third party's, rights/interests arising as a result of the established relationship.
Pursuant to current privacy legislation (art. 111-bis of the Privacy Code), the Controller may legitimately process the data subject’s personal data, without having the data subject grant his/her specific content, if such processing is necessary to allow an employment or collaborative relationship to be established with the Controller (see point 1).
Processing is also legitimate when necessary:
· to fulfil or to require the fulfilment of specific commitments or to carry out specific tasks required by law or by collective agreements, including corporate ones, with the aim of establishing an employment relationship, or for one of the other purposes specified above (see point 2);
· to pursue the Controller’s, or a third party’s, legitimate interests, on the basis of that specified above (see point 3).
Further processing carried out for any purpose other than those specified above will require a new information notice to be communicated, in advance, describing the new purpose of processing and including any other relevant information, including any request for the data subject to grant his/her specific consent to the new processing.
PROCESSING METHODS AND CONFIDENTIALITY OBLIGATION
Data are processed by means of IT tools and/or hard copy, by persons expressly authorised, duly trained and bound by confidentiality agreements, using logic appropriate to the purposes and, in any case, in order to guarantee the security and confidentiality of the data.
Automated processes designed to create a profile on the data subject are not used. Data collected will not be disclosed or disseminated to third parties.
Communication to third parties
The Controller may communicate personal data to a third party – specifically identified – who may use these data exclusively for the purposes referred to in this information notice.
Specifically, data may be communicated to the following recipients:
· external consultants who perform specific services on behalf of the Controller, for commitments connected or functional to the purposes indicated above and subject to a specific agreement on the processing of personal data as per art. 28 of the GDPR;
· other companies within the "Centro di Firenze per la Moda Italiana" group (of which the Controller is a part), for the sole purpose of a potential professional placement for the data subject in one of the other companies in the group;
· public bodies, the Public Administration and any other public authority in order to fulfil a legal obligation.
The data’s storage period
Personal data will be processed for the period necessary to achieve the purposes specified above. Except in the case in which the data subject is recruited, data will not be stored beyond the term of twenty-four months from the date on which the curriculum was sent or from the date of its last update (in this case, the update request sent by the data subject is considered).
Transferring data outside of the EU
The Controller will not transfer data outside of the European Union.
Rights regarding the data
It should be noted that, in reference to the processing of personal data, the data subject may exercise the following rights for which, in some cases, the law imposes limits or conditions on the basis of articles 15 and following of the GDPR:
the right to access the data: specifically, the data subject has the right to obtain from the Controller the confirmation or otherwise that the data subject’s personal data are subject to processing and, if this is the case, to receive from the Controller a copy of the personal data subject to processing together with general information about such processing as indicated in art. 15 of the GDPR;
the right to have the data updated or rectified, without unjustified delay, in the event of inaccurate or out of date data; bearing in mind the purposes of the processing, the data subject has the right to have incomplete personal data supplemented, by providing an additional declaration;
the right to have the data erased: the Controller is obliged to erase personal data, without unjustified delay, if one of the following situations exist:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws his/her consent on which the processing is based in accordance with point (a) of article 6(1) of the GDPR or point (a) of article 9(2) of the GDPR, and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to article 21(2) of the GDPR;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation under European Union or Member State law to which the Controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in article 8(1) of the GDPR.
It should also be noted that the erasure request cannot be accepted to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of article 9(2) of the GDPR as well as article 9(3) of the GDPR;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with article 89(1) of the GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
the right to restrict processing: the data subject has the right to obtain from the Controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to article 21(1) of the GDPR pending the verification of whether the Controller’s legitimate grounds override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
A data subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.
the right to oppose processing: specifically, if the data subject is no longer interested in being contacted by the Controller (or by one of the other companies in the group) with regard to employment or professional collaboration opportunities, he/she has the right to object, at any time, to the processing of his/her data, and therefore even prior to the 24-month period for which these data are stored, by making a request to the Controller who will then refrain from further processing these same data.
The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
the right to data portability: the data subject has the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and the data subject has the right to have those data transmitted to another controller without hindrance from the Controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of article 6(1) of the GDPR or point (a) of article 9(2) of the GDPR or on a contract pursuant to point (b) of article 6(1) of the GDPR; and
b) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Exercising the right to data portability is without prejudice to the right to erase the same data.
This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
This right shall not adversely affect the rights and freedoms of others.
To exercise any of the aforementioned rights, the data subject may contact the Controller at the address indicated above, specifying the subject of the request.
The Controller will endeavour to provide a response to the request without unjustified delay, and, in any case, at the latest, within one month from having received the said request.
The data subject also has the right to lodge a complaint with a supervisory authority.
For more details, consult the Italian Data Protection Authority’s website www.garanteprivacy.it
The Controller acknowledges that the source of the data consists of the CV sent by the data subject. Providing personal data is necessary in order to be able to consider the candidate’s application and any failure to supply this information, which is considered essential (identify data and contact details), may preclude this process or make it less practicable.
DATA CONTROLLER AND PRIVACY COMMUNICATIONS
The Controller is Pitti Immagine S.r.l., with offices in Via Faenza, 111, Florence, Italy.
The Controller has provided the following address for all communications pursuant to the above articles of EU Regulation 2016/679: firstname.lastname@example.org