Information for candidates on the protection of personal data
Reference legislation:
– Legislative Decree no. 196 of 30 June 2003, amended by Legislative Decree no. 101 of 10 August 2018, Code on the protection of personal data (hereinafter the “Privacy Code”);
– EU Regulation no. 679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “Privacy Regulation”).
***
We wish to inform you that, following the sending of your curriculum vitae and in order to explore the possibility of turning your application into an employment relationship, we collect and process your personal data (as “Data Subject”) and possibly the personal data of your family members, which will be processed in accordance with current legislation on the processing of personal data.
The Privacy Regulation defines personal data as “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The Privacy Regulation, Article 9, defines “special categories of data”, namely those revealing, for example, racial or ethnic origin, membership of a political party or holding of an elected public office, religious or philosophical beliefs, trade union membership, data concerning life or sexual orientation, or data revealing, for example, a general state of health (absence due to illness, maternity, accident or mandated work), fitness or unfitness for certain duties.
Personal data processing means the execution of “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
1. Data Controller, Data Processors and Data Protection Officer.
The Data Controller is MDF ITALIA SRL SOCIETA’ UNIPERSONALE – Tax code and VAT IT 09683280961, Operating headquarters: via Fratelli Cervi, 4/A, 22066 Mariano Comense (CO), Registered office at Via della Posta 10, 20123 Milan, e-mail info@mdfitalia.it (hereinafter the “Company” or the “Controller”).
The updated list of Data Processors, where designated, may be supplied at the request of the Data Subject.
If a Data Protection Officer is appointed (under Article 37 of the Privacy Regulation), the latter’s identification details will be made known by being published, supplementing this policy.
2. Purposes and methods of data processing.
Your personal data are provided directly by you by registering with our recruiting platform so as to create your professional profile and send your curriculum vitae, either unsolicited or for the purpose of applying for specific job positions.
Your personal data are also processed to assess your application, to contact you for a possible professional interview and to carry out any other necessary activity to complete the selection operations aimed at your recruitment or collaboration with the Company, in compliance with the principle of equality between female and male candidates, which prohibits any gender-based discrimination pursuant to Legislative Decree no. 198, 11 April 2006 (Code of Equal Opportunities between men and women), as amended by Legislative Decree no. 5, 25 January 2010 and Law no. 183, 4 November 2010.
In this case, the Controller will process your personal data to implement the precontractual measures taken at your request and aimed at the possible establishment of an employment relationship or collaboration with the Company; therefore, your consent is not required.
Please note that the Company does not require the supply of personal data falling within the special categories of data referred to in Article 9 of the Privacy Regulation, for the purpose of the registration and creation of your professional profile; therefore, if your curriculum vitae contains such personal data, we will have to delete your curriculum vitae.
Such personal data are processed in accordance with the methods and limits defined by the law in force on personal data processing.
Please note that consent to the processing of personal data may be withdrawn at any time; the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
In relation to the aforesaid purposes, personal data are processed by persons specifically designated and trained to process data under Article 2-quaterdecies of the Privacy Code and Article 29 of the Privacy Regulation, as well as by external parties (e.g. staff selection companies, external consultants for the processing of salary and contribution data, etc.), who may act as independent Data Controllers or be designated in writing as Data Processors; in any case, data processing will be carried out using manual, IT and telematic tools, with logics strictly related to the purposes thereof and otherwise in such a way as to ensure the confidentiality and security of personal data and in full and absolute compliance with current law.
Your data will be processed in Italy and, in any event, within the EU.
3. Mandatory or optional nature of data provision, consequences of any refusal and legal basis of data processing.
With respect to the aforesaid purposes, the provision of personal data is required, since a working relationship cannot be established with the Data Subject without it. Therefore, the legal basis of data processing is the assessment of the possibility of establishing an employment relationship with the Data Subject at the request of the same (pursuant to Article 6(1) b) of the Privacy Regulation).
4. To whom and in what context we may communicate the personal data of the Data Subject.
In relation to the purposes of data processing indicated above and within the limits strictly relevant thereto, your personal data will or may be communicated, in Italy, or otherwise within the EU:
(i) to all persons involved in any capacity in recruitment activities for the purpose of the stipulation of an employment relationship, appointed and instructed in writing by the Controller in accordance with the law and in the manner provided for in the Company’s allocation of duties;
(ii) to external consultants called upon to provide the aforesaid service, except where they are designated in writing as Data Processors.
The persons indicated above, to whom your personal data will or may be communicated (except where they are designated in writing as Data Processors), will process such personal data as Data Controllers in accordance with the law in force, acting in full autonomy, being not involved in any processing operations carried out by the Controller. A detailed and constantly updated list of these persons, with an indication of their respective offices, is always available at the Controller’s office.
Your personal data will not be disclosed.
5. Rights of the Data Subject.
Article 15 et seq. of the Privacy Regulation grants the Data Subject the right to obtain, in the manner and within the limits set out in Article 2-undecies of the Privacy Code and Article 12 of the Privacy Regulation:
- confirmation of the existence of personal data concerning him/her, even if the data have not yet been registered, and their communication in intelligible form;
- the indication of the origin of personal data, the purposes and methods of processing, the logic applied in case of processing using electronic means, the identity of the Data Controller;
- the updating, rectification, integration, erasure, transformation into anonymous form or blocking of data processed unlawfully – including data whose retention is unnecessary for the purposes for which the data were collected or subsequently processed –, the attestation that these operations have been brought to the attention – also with regard to their content – of those to whom the data have been disclosed or disseminated, except in the case where such activity proves impossible or involves a use of means manifestly disproportionate to the protected right.
The Data Subject has the right to:
- withdraw consent, if given, to personal data processing at any time (without prejudice to the lawfulness of processing based on consent given before its withdrawal);
- object, in whole or in part and for legitimate reasons, to the processing of personal data concerning him/her, even if they are relevant for the purpose of the data collection;
- to object, in whole or in part, to the processing of personal data concerning him/her for the purpose of sending advertising or direct sales materials or for carrying out market or commercial communication research;
- to lodge a complaint with the Personal Data Authority in the cases provided for by the Privacy Regulation, by contacting the Personal Data Authority directly. Website gpdp.it – www.garanteprivacy.it E-mail: garante@gpdp.it Fax: (+39) 06.69677.3785 Switchboard: (+39) 06.69677.1
- data portability within the limits set out in Article 20 of the Privacy Regulation.
To obtain the detailed and constantly updated list of persons to whom the personal data of the Data Subject may be communicated and to exercise the rights set out in Article 15 et seq. of the Privacy Regulation, the Data Subject may contact info@mdfitalia.it, as Data Controller.
6. Security measures.
All processing operations are carried out by adopting appropriate technical and organisational measures to ensure a level of security appropriate to the risk in accordance with the procedures set out in Articles 5 et seq. and 32 et seq. of the Regulation, and with the corresponding measures issued by the Personal Data Authority.
In this respect, it is confirmed, inter alia, that appropriate security measures have been taken to prevent any unauthorised access, theft, disclosure, modification or destruction of the data of the Data Subject.
7. Duration of data processing
In accordance with Article 5 e) of the Regulation, the personal data being processed will be stored, without prejudice to any legal obligations, for the time strictly necessary to the purposes referred to above and, in any event, for no more than 12 months.