Privacy Policy for the processing of candidates’ personal data

Pursuant to EU Regulation 2016/679

The present policy describes the processing of your personal data and is provided pursuant to articles 13 and 14 of EU Regulation 2016/679 (hereunder, the “GDPR”) and to applicable Italian laws and regulations on the privacy and protection of personal data.

1. Identity and contact details of the data controller

EUROSEARCH CONSULTANTS S.R.L. with registered offices Torino (TO), Corso Vittorio Emanuele II, n. 98, (tax id. 01453370031 VAT n. 1110330152), in the person of the legal representative in office, e-mail: info@eci-eurosearch.com hereunder, “Eurosearch” or the “Company” or “Controller”).

In case the Controller uses processors or sub-processors for the processing of data pursuant to art. 28 o the GDPR, the updated list of processors or sub-processors pursuant to art. 28 of the GDPR is held at the registered offices of the Controller.

2. What types of personal data we may process

The type of personal data we may collect depends on the purpose for which it is collected.

In general, we may collect the following types of personal data:

  1. Personal contact details, including but not limited to: name, surname, date and place of birth, tax identification number, photo or video presentation, email address, gender, education certificate, work experience and other data you may have entered in the CV);

  2. Special categories of data pursuant to art. 9 of the GDPR or required data pursuant to art. 9 par. 2 letter b) of the GDPR, such as data that may reveal a health issue, for example belonging to “protected categories” in Italy, that may be held in the CV or in any further document you sent to the Controller. Specific sets of data may be used solely to assess an application for positions subject to targeted recruitment. In the absence of such cases and in the absence of the conditions set out in art. 9 of the GDPR, such data shall not be taken into consideration and shall be immediately deleted.

Hereunder, “Personal Data”.

 

Your Personal Data shall be gathered directly from you as Data Owner and/or from third parties in connection with your previous work experience (only subsequently to your consent) and/or from publicly-accessible sources such as your professional profile held in professional social networks (subject to the limitations set forth herein).

3. Why we process personal data and on what legal basis

The processing of Personal Data by the Data Controller shall take place:
A) Without your specific consent (art. 6 letter b) to f) of the GDPR):

  • For purposes connected or instrumental to the performance of candidate search and selection activities for all of the positions managed by the Company. In such case, the legal basis consists in the performance of pre-contractual measures implemented on request of the candidates themselves pursuant to  art. 6 par. 1, letter b) of the GDPR.
  • Any Personal Data you may have provided in connection with special categories of data as per art. 9 of the GDPR shall be processed – only where necessary and applicable – to assess your application to work positions falling under targeted recruitment. In such case, the legal basis is the need to comply with obligations and to exercise the specific rights of the employer or of the Data Owner in terms of labour law and social security and protection, in as far as authorised by the laws of the EU or its Member States or by a national labour contract pursuant to the laws of Member States, in the presence of suitable guarantees for the fundamental rights and interests of the Data Owner (art. 9 par. 2 letter b) of the GDPR).
  • To pursue the legitimate interest of the Data Controller or third parties pursuant to art. 6 par. 1 letter f) in connection with public information found in your profile in professional social networks, to verify that the data you have provided corresponds with what you have stated, limited to information of a professional nature only, required solely to assess specific risks connected with the activities that will need to be carried out on the basis of the profile searched, taking any necessary measure to ensure the proper balancing of your interests, rights and fundamental freedoms with our own legitimate interest.
  • To enable the Company to exercise its rights in court and to repress unlawful behaviours. In such cases, the legal basis for processing shall consist in the legitimate interest of the Controller, pursuant to  art. 6 par. 1 letter f) of the GDPR in connection with the right to defence and to exercise one’s rights or those of a third party.

B) Only subject to your previous, specific and explicit consent (art. 6 letter a) and art. 7 of the GDPR), for the following purpose:

  • Keeping your files in the Controller’s databank for purposes of managing future applications or future search and selection activities. In such case, data may be held and/or filed for a maximum of 15 (fifteen) years, in compliance with the reasonable expectations of the Data Owners.

C) Only subject to you specific and separate consent (art. 6 letter a) and art. 7 of the GDPR), for the following purpose:

  • Communicate your Personal Data to business partners belonging to the international ECI Group S.r.l., for the purpose of offering you further employment opportunities.

4. Compulsory delivery of data

Delivery of data is compulsory for staff search and selection activities (art. 3 letter A). Refusal to provide data will prevent the Company from carrying out such activities and will not enable your application to be considered. Provision of data for the purposes of art. 3 letter B) above is optional.

5. How long do we keep and process your personal data

Your Personal Data shall be processed by the Data Controller only for the time needed for satisfying the purpose of processing, as stated above in article 3, after which it will be held exclusively for compliance with applicable legal and regulatory obligations, for administrative purposes and/or to exercise or defend our rights, and in any case no longer than for the time set out for the prescription of such rights.

6. How do we process your personal data

Personal Data is subject to both physical and electronic and/or automatised processing for the time needed to reach the purposes for which it was obtained by the Data Controller or by subjects that are duly authorised and/or appointed for such duties and are constantly identified and/or named, properly instructed, and informed of legal and regulatory limitations; and through the use of security measures that can guarantee privacy and avoid risks of loss or destruction, unauthorised access, unauthorised processing or processing that does not comply with the purposes listed above.

7. To whom we may communicate your personal data

For the purposes listed above, your Personal Data may be made accessible or communicated:

  • To staff and consultants of the Data Controller in their position as authorised Processors, within the scope of their duties and in compliance with the instructions received. Such individuals are in any case subject to compliance with confidentiality and privacy obligations;
  • To third parties who carry out activities outsourced by the Data Controller, whose activities are connected, instrumental or in support of the ones of the Controller (e.g. management software);
  • To any public and/or private subject, physical and/or legal person (such as legal, administrative or tax consultants, provident or pension funds - including private, Court Offices, Chambers of Commerce) if such communication is necessary or functional to proper compliance with contractual obligations and/or legal and regulatory obligations;
  • To any subject (including Public Authorities) that may be granted access to personal data by way of legal or administrative orders.

Data may be disclosed to subjects operating as autonomous Data Controllers (including clients of the Company, and/or professionals) also in the performance of legal or regulatory obligations; or it may be processed, on account of the Company, by subjects appointed as Processors who shall be provided with adequate operational instructions.

In any case, your Personal Data shall not be sold or transferred to third parties for marketing purposes and shall not be publicly disclosed.

8. Transfer of personal data outside of the EU area

The management and storage of your Personal Data shall take place in Europe. It is understood that where necessary, the Data Controller shall be entitled to have your Personal Data Processed outside of the EU (EEA). In such case, the Data Controller guarantees that the transfer outside of the EEA shall take place in compliance with applicable legal and regulatory obligations, where necessary entering into agreements that guarantee an adequate level of protection and/or implementing standard contractual clauses as provided by the European Commission.

9. Your rights

Pursuant to articles 15 et seq. of the GDPR and of applicable national regulations in terms of privacy and protection of personal data, you are entitled to:

  1. Obtain confirmation from the Data Controller that your personal data is being processed, and obtain access to your personal data and to the following information:
    • Purposes of processing; 
    • Categories of personal data involved;
    • Subjects or groups of subjects to whom data may be communicated, in particular if they are in other countries or international organisations;
    • Where feasible, the expected period of conservation of the personal data, or if not possible, the criteria used to set out such period;
    • If the personal data is not collected from the Data Owner, all of the information on its origin;
    • The existence of an automatised decision-making process.
  2. Obtain from the Data Controller a correction to inexact personal data concerning you without undue delay. Keeping in mind the purpose of processing, the Data Owner is entitled to obtain the  integration of incomplete personal data, also by delivering a statement.
  3. Obtain from the Data Controller the deletion of personal data concerning you without undue delay, and the Data Owner is required to delete without undue delay such personal data with the limitations and in the cases provided by applicable laws and regulations.
  4. Obtain from the Data Controller a limitation to processing.
  5. Obtain the personal data that concerns you from the Data Controller in a format that is structured, commonly used and legible from an automatic device, and you have a right to data portability and therefore to transmit such data to another Data Controller without impediment on behalf of the Data Controller to whom it has been delivered it if the processing is based on consent or on a contract, and the processing is carried out with automatised means. 
  6. Object at any moment, for reasons connected to your specific situation, to the processing of your personal data if processing is necessary for the performance of a duty of public interest or connected with the exercise of public powers with which the Data Controlled is invested or processing is required for the pursuit of legitimate interest by the Data Controllers or others.
  7. 7)    If you consider that your rights have been breached by the Data Controller, submit a complaint to the supervisory authority: Autorità Garante per la protezione dei dati personali (www.garanteprivacy.it) and/or to another competent supervisory authority pursuant to the GDPR.

Following the exercise of the rights set out in points 2), 3) and 4), the Data Controller shall inform each of the recipients to whom personal data was sent of any correction or cancellation or limitation in processing within the limits and in the forms set out by the present regulation.

To exercise the above rights with respect to the Data Controller, you should send a written request by registered mail with return receipt to Eurosearch Consultants S.R.L., C.so Vittorio Emanuele II, 98, 10121 Turin, Italy, or by email to info@eci-eurosearch.com.

10. What happens in case of amendment to the privacy policy

The present privacy policy may be amended and/or updated at any time. Should the Data Controller intend to process your personal data for different purposes with respect to the ones provided in art. 3 above, it shall provide you – before such processing – with adequate information in connection with such different purposes and shall carry out such further processing in compliance with applicable laws and regulations, obtaining your specific consent where necessary.