Essential information on recruitment/collaboration - SISMA

Basic privacy statement disclosure for recruitment/collaboration Candidates

 

Who is the data controller?

Sisma S.p.A. hereinafter referred to as the Data Controller

Address: Via Industria 1 (36013) Piovene Rocchette (VI)

Tel .:

Email: privacy@sisma.com

Who is the Data Protection Officer?

DPO

dpo@sisma.com   

Who are the recipients?

external data processors and any additional data controllers

o   Work consultants

o   IT consultants

o   Public entities

o   recruitment and training companies/agencies

o   internship promoters

 

 

What will be done with your personal data?

Personal data will be processed:

The data will be processed on the basis of:

The personal data concerning you are:

for the selection and inclusion of the candidate in the organization of the Data Controller

·               activities planned at the end of the employment/business association relationship

·               fulfilment of activities resulting from the procedure initiated

·               fulfilment of legal obligations (protected categories reserve)

o   name, surname

o   tax code

o   place and date of birth

o   address

o   email

o   landline and/or mobile phone number;

o   images

o   CV data

o   data that could reveal the state of health if collected

for archiving and retention

·      legitimate interest of the data controller to establish future relationships

·      fulfilment of legal obligations (protected categories reserve)

o   name, surname

o   tax code

o   place and date of birth

o   address

o   email

o   landline and/or mobile phone number;

o   images

o   CV data

o   data that could reveal the state of health if collected

for communication to recipients and/or third parties

·       activities planned at the end of the employment/business association relationship

·       legitimate interest of the data controller or third parties and recipients

·       fulfilment of legal obligations (protected categories reserve)

 

o   name, surname

o   tax code

o   place and date of birth

o   address

o   email

o   landline and/or mobile phone number;

o   images

o   CV data

o   data that could reveal the state of health if collected

for IT security management

·       access to the recruitment procedure

·       legitimate interest of the data controller or third parties and recipients

o   logs and IP guidelines

 

 

The following personal data were not provided directly by you

Identification data

CV data

IT data

 

What is the origin of the personal data not provided by you?

recruitment and training companies/agencies

universities

IT service provider

 

The Data Controller informs you that you can exercise the right of complaint to the competent Authority and the other rights provided for by arts. 15 et seq. of the European Regulation (EU) 2016/679 at any time.

 

For more information, see the full statement in the privacy section of the website www.sisma.com or contact us at privacy@sisma.com.

 

 

 

 

Full privacy statement for recruitment/business association Candidates

 

About us and what we do with your personal data

Sisma S.p.A., with registered office in Via Industria 1, (36013) Piovene Rocchette (VI) (hereinafter also the Data Controller), in its capacity as data controller, is concerned with the confidentiality of your personal data and guarantees that they will be protected against any event that may put them at risk of breach.

To this end, the Data Controller implements policies and practices regarding the collection and use of personal data and the exercise of the rights recognised by the applicable legislation. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever necessary and in any case in the event of regulatory and organisational changes that could affect the processing of your personal data.

 

The Data Controller has appointed a Data Protection Officer (DPO) who you can contact if you have questions about the policies and practices adopted: dpo@sisma.com

 

 

How and why does the Data Controller collect and process your personal data?

The Data Controller collects and/or receives information about you, such as:

  • name, surname
  • tax code
  • place and date of birth
  • address
  • email
  • landline and/or mobile phone number;
  • images
  • CV data
  • data that could reveal the state of health if collected

The personal data concerning you will be processed for the following purposes:

 

1) the selection of personnel and/or the start of a business relationship

 

Purpose

Legal basis

–  the search for candidates for open positions

– the collection of applications and CVs that can take place through: personnel recruitment advertisements through recruitment agencies, temporary agencies, universities, ads in newspapers, magazines, specialised periodicals, institutional websites

–    examination of the CVs received

–    the organisation of selective interviews

–    the inclusion in the organisational context of ____ of the suitable candidate

–  the establishment of the employment/business relationship

 

Carrying out pre-contractual activities

 

Fulfilment of specific obligations Execution of specific tasks deriving from laws, regulations or collective agreements, including company contracts, in particular for the purpose of establishing an employment and/or business associate relationship

 

 

 

Your data may also be collected from third parties such as:

  • IT service provider;
  • recruitment and training companies/agencies
  • universities.

 

Where envisaged, this is subject to the right to rectification of the data processed or collected.

The data collected or in any case obtained by the Data Controller following the established recruitment procedure for positions available within its organisation, except for those relating to the state of health, voluntarily provided by you, must be considered necessary and failure to provide them will mean it will be impossible for the Data Controller to carry out activities aimed at:

 

– evaluating your application in the personnel recruitment process which the Data Controller provides, including through its suppliers (third parties/recipients);

– managing the recruitment process of candidates in all its phases and the resulting obligations.

 

2) for communication to third parties and for dissemination

 

Purpose

Legal basis

communication to third parties such as:

–      Work consultants

–      IT consultants

–      Public entities

–      recruitment and training companies/agencies

–      internship promoters

Carrying out pre-contractual activities

 

Fulfilment of legal and/or regulatory obligations depending on the activities carried out with the recruitment procedure

 

 

 

The Data Controller does not transfer your personal data abroad (non-EU countries). Your personal data will not be disseminated or disclosed in any way to undetermined or unidentifiable parties, not even as third parties.

 

The communication concerns the categories of data whose transmission is necessary for the performance of the activities and purposes pursued by the Data Controller in the management of the recruitment procedure. The relative processing does not require the consent of the data subject in the event that this takes place to fulfil the obligations deriving from the established relationship or in the case of other cases of exclusion (in particular the traceability of a legitimate interest from the Data Controller), expressly provided for or dependent on the legislation and regulations applied by the Data Controller, or also through third parties identified as data processors. Where the communication involves data that could reveal your state of health, the related processing operations will take place with all the necessary guarantees including those which, if requested on the basis of the risks identified, result in the application of pseudonymisation solutions, and/or aggregation and/or encryption of the data.

 

3) for IT security activities

 

Purpose

Legal basis

– control and monitoring of the services displayed on the network and on the platforms pertaining to the Data Controller and made available to you for sending CVs and/or for accessing open job positions/business associations (e.g. the forms published on the page “Work with us”)

 

– implementation of procedures for detecting and reporting personal data breaches (data breaches)

Access to the recruitment procedure

 

Fulfilment of legal obligations (detection and notification of data breaches)

 

Legitimate interest

 

How, where and for how long is your data stored?

 

How?

Data processing is carried out through hard-copy or IT procedures by specifically authorised internal parties. They are allowed access to your personal data to the extent and to limits necessary for the performance of the processing activities that concern you.

The Data Controller periodically checks  the tools through which your data are processed and the security measures envisaged for them which it keeps constantly updated; it also checks, through the parties authorised to process, that personal data are not collected, processed, archived or stored where the processing is not necessary or where the purposes no longer apply; it verifies that the data are stored with the guarantee of completeness and authenticity and that they will be used for the purposes of the processing effectively carried out, also due to their particular nature. The checks allow the Data Controller to assess the strict relevance, and non-excessive and indispensable nature of the data belonging to particular categories with respect to the recruitment procedure as well as the relationship to be established, also with reference to the data you provide on your own initiative.

 

The Data Controller guarantees that the data that, even as a result of the checks, are excessive or irrelevant will not be used except for the possible retention, in accordance with the law, of the legal instrument or document that contains them.

 

Where?

The data are stored in hard copy, computer or electronic archives, located within the European economic area, and specific security measures are ensured. 

 

How long?

Your personal data is retained for the time necessary to carry out the activities that concern you.

 

In particular:

identifying data

CV data

data that could reveal the state of health even if voluntarily provided

Duration of the recruitment procedure 

This is subject to:

– the limitation of processing and other guarantees provided for data belonging to particular categories

–   the erasure of personal data collected through CVs sent spontaneously or in the absence of an open position;

–   the interest of the Data Controller in keeping the data, including those you have provided voluntarily, for the time needed to evaluate the application also for future employment/business association relationships

– the establishment of the employment/business association relationship

 

Except for any dispute that may involve an extension of the aforementioned terms, for the time necessary to pursue the related purpose

IT data (access logs to systems and to the network and/or IP addresses)

The duration of the retention period depends on the presumed and/or detected risk and the resulting negative consequences, subject to the measures taken to make the data anonymous or to restrict their processing.

In any case, the data must be kept (starting from the knowledge/detection of the dangerous event or data breach) for the time necessary to notify the supervisory authority of the breach of the data detected through the procedures implemented by the Data Controller and in any case to remedy it

 

 

Once there is no longer a reason giving the right to retain your personal data, the Data Controller will delete them or render them anonymous.

 

What are your rights?

The rights granted to you allow you to always have control over your data. Your rights are those of:

  • access;
  • rectification;
  • withdrawal of consent;
  • erasure;
  • restriction of processing;
  • objection to processing;
  •  

In essence, you, at any time, for free and without specific duties or formalities regarding your request, can:

  • obtain confirmation of the processing carried out by the Data Controller
  • access your personal data and find out about their origin (when the data are not obtained from you directly), the purposes and scope of the processing, the data of the subjects to whom they are communicated, the retention period of your data or useful criteria to determine it;
  • update or rectify your personal data so that they are always precise and accurate;
  • withdraw consent at any time, if this constitutes the basis of the processing. In any case, the withdrawal of consent does not affect the lawfulness of the processing based on the consent given before the withdrawal itself;
  • delete your personal data from databases and/or archives, including backups if, inter alia, they are no longer necessary for the purposes of the processing or if this is assumed to be unlawful, and always if the conditions set out under the law apply; and in any case if the processing is not justified by any other equally legitimate reason;
  • restrict the processing of your personal data in certain circumstances, for example where you have contested the accuracy, for the period necessary for the Data Controller to verify their accuracy. You must also be informed, in a reasonable time, of when the suspension period has been completed or the cause of the restriction of the processing has ceased, and therefore the limitation itself has been revoked;
  • obtain your personal data, if their processing takes place on the basis of a contract and with automated tools, in electronic format also in order to transmit them to another data controller.

The Data Controller must do so without delay and, in any case, at the latest within one month of receiving your request. The deadline may be extended by two months, if necessary, taking into account the complexity and number of requests received. In such cases, the Data Controller will inform you of the reasons for the extension within one month of receiving your request.

For any further information and in any case to send your request, please write to privacy@sisma.com.

 

How and when can you object to the processing of your personal data?

For reasons relating to your particular situation, you can object to the processing of your personal data at any time if it is based on legitimate interest, by sending your request to the address privacy@sisma.com.

You have the right to have your personal data deleted if there is no legitimate reason overriding the one that gave rise to your request.

 

How can you lodge a complaint?

Without prejudice to any other administrative or judicial action, you can lodge a complaint with the data protection authority, unless you reside or carry out your work in another Member State. In the latter case, or in that in which the breach of the legislation on the protection of personal data takes place in another EU country, the supervisory authorities in the country of residence shall be responsible for receiving and dealing with the complaint.

 

Any update of this privacy statement will be communicated to you promptly and by appropriate means and will also be communicated to you before proceeding and in time to give your consent if necessary.