Information in accordance with and pursuant to articles 13 and 14 of the EU GDPR 2016/679 and the national legislation in force relating to the protection of the processing of personal data.
With this Policy VENISTAR SR provides the Data Subject with the information referred to in Articles 13 and 14 of GDPR 2016/679 regarding the processing of personal data concerning him/her.
Controller of the data processing.
The Data Controller is VENISTAR SRL, with registered office at Viale Francesco Restelli 1, 20124 Milan - Italy.
Data Protection Officer (DPO).
The Data Controller has appointed a Data Protection Officer (DPO) who may be contacted by the Data Subject for all matters relating to the processing of personal data and the exercise of the rights under the GDPR 2016/679. The contact address of the DPO is: email@example.com.
Purpose and legal basis of the processing.
The collection and processing of personal data is carried out in order to pursue:
- the management of E-recruitment applications, in particular of the CV sent through the contact on the website for the purpose of responding to the requests sent and for evaluating the profile for the possible establishment of a working relationship or professional collaboration (processing necessary in order to take steps at the request of the Data Subject prior to entering into a contract in accordance with Article 6(1) b) of GDPR 2016/679.
Please note that the CV should not include special categories of data (so-called sensitive data) or data relating to criminal convictions and offences, unless such data are necessary for the establishment of the employment relationship in accordance with current legislation on job placement. As regards data relating to the health of disabled workers, please note that according to Law No. 68 of 12 March 1999, “Rules for the right to work of the disabled”, the CV should not indicate any pathology, but only state the possession of the requirements. Any other special categories of data indicate by you will not be taken into consideration, nor in any case processed, for the evaluation of the profile.
The collection and recording of data shall take place in accordance with the principles set out in Article 5 of GDPR 2016/679, namely for specific, explicit and legitimate purposes and in a manner compatible with those purposes, as part of the processing that is required for conducting business activities. Personal data shall be accurate and, where necessary, updated, so that they are adequate, relevant and limited to what is necessary and kept for no longer than their intended use in relation to the purposes for which they are collected and subsequently processed in accordance with the GDPR 2016/679 and current national legislation.
Personal data may be processed with the aid of both paper and electronic means, or in any case suitable for recording and storing the data, and in any case in such a way as to guarantee their safety and the utmost confidentiality of the Data Subject. Specific security measures will be observed to prevent data loss, unlawful or incorrect use and unauthorised access in full compliance with Article 32 of GDPR 2016/679 and current national legislation.
Mandatory or optional nature of providing data and consequences of refusal to provide such data.
The provision of data is not mandatory, but optional; however, any refusal to provide such data in whole or in part may make it impossible to act on the request of the Data Subject or to evaluate his/her professional profile.
Communication of data.
Without prejudice to current regulations in force and, in particular, to the principles set out in Article 5 of GDPR 2016/679, all collected and processed data may be communicated exclusively for the purposes stated in this Policy to the following recipients:
- Companies belonging to the same corporate group;
- Professionals and consultants, consulting companies, recruitment agencies, public employment agencies, public and private training institutions;
- Entities who process data on behalf of the Controller as Data Processors pursuant to Article 28 of GDPR 2016/679, including but not limited to professionals and/or companies appointed to carry out consultancy activities in the areas of labour law and information technology. The complete and up-to-date list of Data Processors is available, to those entitled to it, by simple request to the Data Controller’s head office;
- Entities legally entitled to access the data in accordance with the regulations in force and/or to whom the data must be communicated in compliance with legal obligations.
Personal data may be processed by employees and co-workers assigned to the competent Data Controller office, explicitly authorised to process the data in accordance with Article 29 of GDPR 2016/679 and current national legislation.
Transfer of data abroad.
Personal data may be communicated and/or transferred abroad only for the purposes stated in this Policy, or for exclusively technical reasons related to the structure of the Company’s IT System and/or the implementation of technical and organisational security measures deemed appropriate by the Data Controller (Article 32 of GDPR 2016/679), and exclusively in compliance with Articles 44 et seq of GDPR 2016/679.
Data retention times.
Personal data shall be retained in our filing systems even after the job interview, for the fulfilment of all possible obligations related to this activity, and, in any case, for no longer than is necessary for the purposes for which they are processed (‘storage limitation’ principle) pursuant to Article 5 of GDPR 2016/679). Specifically, the data shall be retained by the Data Controller for a period of 24 to 60 months, depending on the professional profile, it being understood that the aspiring candidate must update and/or reconfirm the application every 3 months, or in any event within 15 months at the latest, depending on the professional profile; failing this, or in the event of recruitment, the data shall be deleted. Depending on the specific limitation periods provided for by law, data required for ascertaining, exercising or defending a right may be subject to longer retention times.
Verifications on the obsolescence of the retained data in relation to the purposes for which they were collected are performed periodically.
Rights of the data subject.
The Data Subject may exercise the rights provided for within the limits and under the conditions set out in Articles 15 to 22 of GDPR 2016/679. In particular, the GDPR 2016/679 grants the Data Subject the following rights:
- Right of access (Article 15 of GDPR 2016/679);
- Right to rectify inaccurate personal data and right to integrate incomplete personal data (Article 16 of GDPR 2016/679);
- Right to erasure (Article 17 of GDPR 2016/679);
- Right to restriction of processing (Article 18 of GDPR 2016/679);
- Right to be informed about the recipients to whom any rectification or erasure of personal data or restriction of processing has been communicated (Article 19 of GDPR 2016/679);
- Right to data portability (Article 20 of GDPR 2016/679);
- Right to object (Article 21 of GDPR 2016/679);
- Right not to be subject to a decision based solely on automated processing (Article 22 of GDPR 2016/679).
In the event of signing any kind of consent to data processing, it should be noted that the Data Subject may revoke it at any time, without prejudice to the mandatory obligations provided for by the legislation in force at the time of the request, by contacting the Data Controller at the following email address: firstname.lastname@example.org.
Right to lodge a complaint.
The Data Subject who believes that the processing of his/her personal data is in violation of the provisions of GDPR 2016/679 has the right to lodge a complaint with the supervisory authority of the State of the European Union in which he/she habitually resides, works, or in the place where the alleged violation occurred, as provided for in Article 77 of GDPR 2016/679, or to apply to the competent judicial authorities.
Milan, 4 April 2022