INFORMATION NOTE pursuant to Article 13 of Regulation (EU) 2016/679 (“GDPR”)

1. DATA CONTROLLER AND DPO

The Data Controller is Immsi S.p.A. in the person of its pro tempore legal representative, with its registered office in Piazza Vilfredo Pareto, 3 - 46100 Mantova (the “Company” or the “Data Controller”).

It is possible to contact the Data Controller at the telephone number 0376/2541, or by writing to its registered office.

The Data Protection Officer (“DPO”) appointed by the Data Controller pursuant to Articles 37 et seq of the GDPR is Immsi Audit S.p.A. (in the person of the Managing Director Maurizio Strozzi).

You can contact the DPO at the telephone number 0376/24641, by ordinary mail at Piazza Vilfredo Pareto, 3 - 46100 Mantova, or by sending an e-mail to privacy@immsi.it.

The updated list of the Data Processors and staff involved in processing is kept at the registered office of the Data Controller.

2. PERSONAL DATA PROCESSED BY THE DATA CONTROLLER

For the purposes indicated in the following point 3, the Data Controller deals with the following personal data:

  • common and contact data, such as name, surname, place and date of birth, tax code, address, telephone number, e-mail address and other contact details;
  • data relating to your state of health (e.g. your possible inclusion in a protected category);
  • financial data (e.g. your income)

3. PURPOSE OF THE PROCESSING AND LEGAL BASIS

The processing of your personal data is necessary for the personnel selection process, including, but not limited to, the examination of your CV and the organisation of interviews, aimed at the possible establishment of an employment relationship.

The legal basis for the processing of your data is, therefore, the execution of pre-contractual measures at the request of the data subject, pursuant to Article 6, first paragraph, letter b) of the GDPR; therefore, your consent is not necessary to authorise the processing.

With regard to your health data, the legal basis for the processing of your data is your consent, pursuant to Article 6, first paragraph, letter a) of the GDPR. 

4. NATURE OF DATA PROCESSING AND CONSEQUENCES OF A REFUSAL

The processing of your personal data, including those relating to your health, is a necessary requirement for the selection process, and therefore your refusal to provide such personal data will make it impossible for the Data Controller to perform the same. 

5. PERIOD OF RETENTION OF YOUR PERSONAL DATA  

The Data Controller shall process your personal data for the purposes indicated above, for the time necessary to manage the selection process. In particular, your CV will be kept at the Company 5 years from receipt of the same (except for the establishment of the employment relationship), and will subsequently be deleted.

6. METHODS FOR THE PROCESSING OF YOUR PERSONAL DATA 

The processing of your personal data shall take place, in compliance with the provisions of the GDPR, using physical, computerised and electronic means, for the purposes indicated and, in any case, with suitable methods to guarantee their security and confidentiality in accordance with the provisions of Article 32 of the GDPR.

7. PARTIES TO WHICH PERSONAL DATA MAY BE COMMUNICATED OR WHO MAY BECOME AWARE OF THEM

For the pursuit of the purposes described in Article 3 above, your personal data shall be communicated to employees, external consultants and, in general, to Company personnel who operate as persons authorised to process personal data, specifically appointed as staff involved in the data processing.

Furthermore, your personal data may be processed by the following third parties:

a)     Parties that provide services for the management of the information system and website of the Data Controller and of the telecommunications networks.

b)     Companies belonging to the Immsi Group.

The subjects belonging to the above categories operate, in some cases, in complete autonomy as separate Data Controllers, in other cases, as Data Processors specifically appointed by Immsi.

Your personal data shall not be disclosed to the public.

8. YOUR RIGHTS AS A DATA SUBJECT 

In relation to the processing described in this Information Note, you may exercise the rights listed in this section, set out in Articles 15 to 21 of the GDPR. In particular: 

  • Management of your data – Right of access  – Article 15 of the GDPR: the right to obtain confirmation from the Data Controller about whether or not personal data processing is underway concerning you and, if so, to obtain access to your personal data - including a copy thereof - and the communication of the following information:

a)   purpose of the processing;

b)   categories of personal data processed;

c)   recipients or categories of recipients to whom personal data have been or will be communicated;

d)   data retention period or the criteria used to determine it;

e)   the existence of the right to ask the Data Controller to rectify or delete personal data, or limit the processing of personal data concerning the data subject, or the right to object to such processing;

f)    the right to lodge a complaint with the competent authority;

g)   the origin of the personal data, if these were not collected directly;

h)   the existence of any automated decision-making processes, including profiling.

  • Rectification of inaccurate or incomplete information – Right of rectification – Article 16 of the GDPR: the right to obtain, without undue delay, the correction of inaccurate personal data concerning you or the integration of incomplete personal data.
  • Cancellation – Right to cancel – Article 17 of the GDPR: the right to obtain, without undue delay, the correction of inaccurate personal data concerning, whenever:

a)  the data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;

b)  you have revoked your consent and there is no other legal basis for the processing;

c)   you have objected strictly to the processing of personal data;

d)   the data were unlawfully processed;

e)  the data must be deleted to comply with a legal obligation;

f)   the personal data have been collected in relation to the provision of information society services referred to in Article 8 (1) of the GDPR.

If you no longer wish for us to use your information, you may request the deletion of your personal data. We inform you that if you request the deletion of your personal data, we may store and use your personal data to the extent that this is necessary to comply with legal obligations or to perform a task carried out in the public interest or for the exercise of a public authority attributed to the Data Controller, or for the assessment, exercise or defence of a right in court. By way of example, we may retain some of your personal data for tax, legal and audit obligations.

  • Limitation of processing – Right to limitation of processing  – Article 18 of the GDPR: right to obtain the limitation of processing from the Data Controller, if:

a)   you dispute the accuracy of personal data for the period necessary for the Data Controller to verify the accuracy of such personal data;

b)   the processing is illegal and you are opposed to the cancellation of personal data and ask instead that its use be limited;

c)   although the Data Controller no longer needs it for processing purposes, the personal data are necessary for you to ascertain, exercise or defend a right in court;

d)   you have objected to the processing pursuant to Article 21, paragraph 1 of the GDPR pending verification of the possible prevalence of the legitimate reasons of the Data Controller with respect to yours. 

  • Access to data and portability – Right to data portability  – Article 20 of the GDPR: the right to receive, in a structured format which is commonly used and readable by an automatic device, the personal data concerning you provided to the Data Controller and the right to transfer them to another Data Controller without impediments, if the processing is based on consent and is performed with automated means. Furthermore, the right to ensure that your personal data is transferred directly by the Data Controller to another Data Controller if this is technically feasible. 
  • Complaints – to file a complaint with the competent Authority regarding personal data, sending the complaint to: Piazza di Monte Citorio no. 121 - 00186 Rome; email: protocollo@pec.gpdp.it.

The above rights may be exercised by contacting the Data Controller or the DPO at the addresses indicated in the foregoing Article 1. We inform you that the Data Controller may ask you to verify your identity before proceeding on the basis of your request.