Privacy Notice for Applicants

PRIVACY NOTICE ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLE 13 OF REGULATION (EU) NO. 2016/679 

Pursuant to Article 13 of Regulation (EU) No. 2016/679 (hereinafter the "GDPR"), Avvale S.p.A. and its affiliates (hereinafter "Avvale" or the "Data Controller") informs you that your personal data (hereinafter the "Data"), collected from you or, occasionally, from third parties, will be processed in compliance with the provisions of the aforementioned Regulation, D. Lgs. 196/2003 (hereinafter the "Privacy Code") and further modifications, by Law no. 300/1970 and in compliance with the information below, as well as with the provisions issued by the Supervisory Authority (Garante per la Protezione dei dati Personali) , as applicable from time to time.

• Data Controller and Data Processors.

The Data Controller is Avvale S.p.A. with registered office in Via Melzi D'Eril 34, Milan (20154), Italy, e-mail: privacy@avvale.com. The updated list of any data processors is available at the Data Controller's registered office.

• Data Protection Officer  

The Data Controller has appointed a DPO  (Data Protection Officer) in the person of Dr. Ing. Danilo Roggi, who can be contacted at the following e-mail address: dpo@avvale.com. 

• Methods of data collection.

Data are collected through i) the spontaneous sending of CVs by the candidate to the e-mail address job.italy@avvale.com or through the selected channels indicated on the Data Controller's website; ii) consultation of specialized databases, within which the candidate has made his/her CV available for consultation by interested companies (e.g. AlmaLaurea); iii) recruitment agencies and companies specializing in personnel search and selection (e.g. Monster, Indeed); iv) social media (e.g. LinkedIn); v) social media (e.g. LinkedIn); vi) the use of the data collected by the Data Controller. AlmaLaurea); iii) recruitment agencies and companies specializing in the search and selection of personnel (e.g. Monster, Indeed); iv) social media (e.g. LinkedIn); v) any other method through which candidates' CVs are made available to the Company. 

• Categories of Data.

The following are subject to the processing referred to in this policy:

1. personal data that do not fall under special categories of personal data (e.g. personal details, contact details, data relating to training, data relating to previous work experience, data relating to remuneration, etc.);
2. where applicable, health-related data relating, for example, to membership of protected categories.

Other data belonging to the special categories of personal data, not requested by the Controller and voluntarily provided by the candidate (such as data revealing trade union membership, political opinions, religious or philosophical beliefs, racial or technical origin, as well as data concerning the person's sex life or sexual orientation) are not processed.

• Purpose and legal basis of the processing. 

The Data will be processed in order to:

1. manage all the phases of the personnel selection process, up to the moment of the establishment of the employment or collaboration relationship with the Controller, with exclusive reference to the current position for which your application has been selected 
2. to fulfil the obligations or to exercise the rights provided for by law and by collective agreements in the field of labor law, social security and social protection, with exclusive reference to the placement of persons belonging to protected categories and the disabled.

The processing of Data for the purpose sub a) does not require your consent as the processing is necessary for the performance of the activities aimed at the establishment of the employment or collaboration relationship, pursuant to Art. 6, c. 1, letter b) of the GDPR.

The processing of Data for the purpose under b) does not require your consent as it is necessary to fulfil the obligations to which the Data Controller is subject and to allow the candidate to exercise the rights provided by law or collective agreements, pursuant to Article 9, c. 2, letter b) of the GDPR.

• Provision of data and consequences in the event of non-provision.

The provision of Data for the purposes of sub a) is optional, but necessary for the purposes of carrying out the selection activities. The provision of Data for the purposes sub b) is optional, but is a necessary requirement for the establishment of a possible employment or collaboration relationship. In both cases, failure to provide the Data will make it impossible for the Data Controller to proceed with personnel selection activities and the establishment of an employment or collaboration relationship with you. 

• Recipients or categories of recipients.

The Data may be made accessible, brought to the attention of or communicated to the following subjects, who will be appointed by the Data Controller, as the case may be, as data processors or persons authorized to process the Data:

• companies of the group to which the Data Controller belongs (parent companies, subsidiaries, associates), employees and/or collaborators in any capacity whatsoever of the Data Controller and/or companies of the group to which the Data Controller belongs;
• public or private entities, natural or legal persons, which the Data Controller uses for the performance of activities instrumental to the achievement of the aforesaid purpose or to which the Data Controller is obliged to communicate the Data, by virtue of legal or contractual obligations;

Your Data will not be disseminated in any case.

• Transfer of Data to third countries.

The Data Controller operates internationally with offices and affiliates in several countries around the world. Therefore, personal data processed by the Controller may be transferred outside the EEA, to countries that may not provide a level of protection for personal information equivalent to that guaranteed by European data protection legislation. Whenever Your personal information is transferred internationally, the Controller takes appropriate measures to ensure its security and confidentiality in accordance with applicable data protection law. 

• Retention Period.

The Data will be stored in our archives according to the following parameters

• data will be included in the company database used for selection activities and kept for 12 months;
• in the event that you are interviewed by companies of the Avvale Group, the retention period of your data will be 24 months.

Once this retention period has expired, your data will be destroyed or rendered anonymous.

• Rights of access, cancellation, restriction and portability.

Data subjects are granted the rights set out in Articles 15 to 20 of the GDPR. By way of example, each data subject may:

1. obtain confirmation as to whether or not personal data concerning him or her is being processed;
2. if a processing is taking place, obtain access to the personal data and information relating to the processing as well as request a copy of the personal data
3. obtain the rectification of inaccurate personal data and the integration of incomplete personal data
4. obtain, if one of the conditions provided for in Article 17 of the GDPR is met, the deletion of personal data concerning him/her
5. obtain, in the cases provided for in Article 18 of the GDPR, the restriction of processing
6. in the cases provided for by Article 20 of the GDPR, receive the personal data concerning him/her in a structured, commonly used and machine-readable format and request their transmission to another controller, if technically feasible.

• Right to object.

Each data subject has the right to object at any time to the processing of his or her personal data carried out in pursuit of a legitimate interest of the Controller. In the event of opposition, his/her personal data shall no longer be processed, unless there are legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

• Right to lodge a complaint with the Supervisory Authority.

In addition, each data subject may lodge a complaint with the Supervisory Authority (Garante per la Protezione dei dati Personali) if he or she believes that his or her rights under the GDPR have been violated, according to the procedures indicated on the Garante's website accessible at: www.garanteprivacy.it.

• Exercise of rights.

The above rights may be exercised by sending an e-mail to the Data Controller at the following address: privacy@avvale.com or to the DPO at the following address: dpo@avvale.com.