Privacy Policy for personal data collected through CVs

PRIVACY POLICY FOR PERSONAL DATA IN CVs


Privacy policy for the processing of personal data pursuant to Article 13 of the European Regulation concerning the protection of individuals with regard to the processing of personal data (Regulation No. 679/2016, hereinafter also referred to as the GDPR), addressed to candidates applying for job positions within SAVIO S.P.A.

The Data Controller, as defined and identified below, hereby informs you, through this document (the “notice”), about the purposes and methods of processing your personal data and about your rights as a “data subject” pursuant to the GDPR No. 679/2016 and the Privacy Code (Legislative Decree No. 196/2003).

RECIPIENTS OF THIS NOTICE

This notice is intended for candidates applying for job positions within SAVIO S.P.A.

MAIN DEFINITIONS UNDER ARTICLE 4 OF GDPR NO. 679/16

  • Personal data
    Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • Data processing
    Any operation or set of operations performed on personal data or on sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction, whether by automated or manual means.
  • Data Controller
    The natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its designation may be established by Union or Member State law.
  • Data Processor
    The natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.

 

 

  1. DATA CONTROLLER AND DATA PROCESSOR

The Data Controller is SAVIO S.P.A., located in CHIUSA DI SAN MICHELE (TO), Via Torino Strada Statale 25 n. 25, Tax Code and VAT number 12396890019, represented by CEO Moshe Nash ABRAMOV.

The updated list of all Data Processors appointed is available at the Data Controller’s operational office and will be provided upon written request to the contact details provided below.

  1. TYPE OF DATA PROCESSED

The following common data are processed:

  • Name, surname, gender, tax code, photograph (if included in the CV), address, phone number, place and date of birth, email address and other contact details, educational qualifications and/or professional certifications required for the position to be filled, residence permit (if applicable), other personal identification elements.
  • Data contained in the CV submitted or provided directly during the evaluation interview.

The following special categories of data may also be processed (as defined in Article 9, paragraph 1 of the GDPR No. 679/16, special categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, genetic data, biometric data for the unique identification of a person, data concerning health, sex life, or sexual orientation of a person): health-related data, including medical records necessary for employment (including, if necessary, the results of the pre-employment medical examination conducted by the Occupational Health Doctor) or data regarding membership in certain protected categories. Other special data necessary for the role may also be processed.

Other special data, including those related to life and sexual orientation, or judicial data relating to convictions and crimes, may also be processed if they are subject to reporting under the obligations set forth by the whistleblowing procedure (reporting of unlawful conduct).

 

  1. SOURCE OF THE PROCESSED DATA


The processed data subject to this notice are provided:

  • Through the curriculum vitae;
  • During the evaluation interview;
  • By third parties (such as recruitment agencies that SAVIO S.P.A. may use for personnel selection).
  1. PURPOSE OF THE PROCESSING


The personal, identifying, and curricular data, as well as the special data mentioned above, collected from the data subject or from third parties used by the Data Controller for selection procedures, are processed and used for the purpose of conducting personnel selection procedures and verifying the conditions for hiring the candidate.

These data may also be processed to ensure compliance with the obligations required by the certified management system procedures adopted by the Company and, in the case of reports, by the procedure for handling reports of unlawful conduct (whistleblowing).

 

  1. LEGAL BASIS OF DATA PROCESSING


The legal basis for processing personal data is provided, for common personal data, by Article 6, paragraph 1, letter b) of the GDPR 679/16 (processing is necessary for the performance of pre-contractual measures requested by the data subject), letter c) (processing is necessary to comply with a legal obligation to which the controller is subject), and letter f) (legitimate interest of SAVIO S.P.A. in the activity of recruitment and selection of personnel).

For special data, the legal basis is provided by Article 9, paragraph 1, letter b) (processing is necessary for the performance of the obligations and exercise of specific rights of the data controller or the data subject in the field of labor law and social security law and social protection, as authorized by Union or Member State law or by a collective agreement under Member State law, with appropriate safeguards for the fundamental rights and interests of the data subject), letter h) (processing is necessary for preventive medicine or occupational health purposes), and with regard to data potentially processed within the framework of the whistleblowing procedure (reporting of unlawful conduct), also Article 9, paragraph 2, letter f) (processing is necessary for the establishment, exercise, or defense of legal claims) of the GDPR.

 

  1. PROCESSING METHODS


The processing of data is carried out through computerized, telematic, and paper-based methods, in compliance with the provisions of Article 32 of Regulation 2016/679 and the security and protection measures adopted by the Company.

 

  1. NATURE OF DATA PROVISION


Providing the data is optional and it is up to the candidate to present their curriculum vitae (either directly to SAVIO S.P.A. or to third parties, such as recruitment agencies that SAVIO S.P.A. may use in its staff selection process).

In cases where the curriculum vitae is received spontaneously for the purpose of establishing an employment relationship, the information required by Article 13 of Regulation 2016/679 will be provided at the first available contact, after the submission of the curriculum vitae.

This privacy notice is published on the Company’s website (www.savio.it), where the curriculum vitae can be uploaded and sent directly, as well as on the social media channels used by SAVIO S.P.A. (e.g., LinkedIn).

As for the data subsequently and possibly requested by the Data Controller, including sensitive data related to health as previously indicated, failure to provide this data will result in the impossibility of verifying the conditions for hiring and/or starting the collaboration, and thus, the potential establishment of a relationship with the Data Controller.

 

  1. COMMUNICATION AND DISCLOSURE


Your personal data may be shared by the Company with the following subjects: members of the administrative bodies and/or company personnel involved in the selection process, also from a workplace safety perspective.

The data may be communicated to qualified third parties who provide services or instrumental services for the purposes outlined in this notice, including: related parties; IT service providers; suppliers and/or other qualified third parties providing services for the management of the personnel selection process; consultants assisting the Company in legal, tax, social security, accounting, organizational, and management matters; any other subject to whom the data must be disclosed under a legal provision.

The data collected will not be otherwise disclosed.

Your data will not be transferred outside the European Economic Area.

Where necessary, SAVIO S.P.A. will act in compliance with the provisions of Chapter V of the GDPR.

All measures will be adopted to ensure the protection of personal data based on:

  • An adequacy decision by the European Commission;
  • The existence of appropriate safeguards under Article 46 of the GDPR;
  • The adoption of binding corporate rules under Article 47 of the GDPR.

SAVIO S.P.A. uses services and software, including cloud-based Microsoft 365, whose servers and data centers are located within the European Union. For maintenance/diagnostic reasons related to the IT infrastructure and the operational requirements of cloud services, as well as for cybersecurity reasons, Microsoft may intervene from locations outside the EU/EEA.

In such cases, the EU-US Data Privacy Framework applies, which Microsoft adheres to and which was deemed adequate by the European Commission on July 10, 2023 (all information is available on the following websites: https://www.microsoft.com/it-it/trust-center/privacy; https://www.microsoft.com/en-us/privacy/privacystatement; and https://learn.microsoft.com/it-it/privacy/eudb/eu-data-boundary-transfers-for-all-services).

 

  1. RETENTION PERIOD


The data will be retained by the Data Controller for a maximum of 24 months from its collection, unless an employment and/or collaboration relationship is established. After this period, the data will be permanently deleted.

In the case of legal disputes, if it is necessary to defend or take action or even assert claims against you or third parties, the Data Controller may retain the personal data deemed reasonably necessary for these purposes and for as long as such claims can be pursued, and in any case in compliance with the maximum periods possibly prescribed by law.

For compliance with the whistleblowing procedure, the data will be retained for the time necessary to process the report and, in any case, no longer than 5 years from the date of communication of the final outcome of the reporting procedure, unless there are specific legal obligations (e.g., in the judicial context or for the protection of legitimate rights/interests).

 

  1. RIGHTS RECOGNIZED TO THE DATA SUBJECT


At any time, you may exercise your rights against the Data Controller and the Data Processor pursuant to Chapter III (Articles 12-22) of GDPR 679/16.

In particular, as a data subject, you have the right to:

  • Access the personal data in paper and/or electronic records, and other information provided by Article 15 of GDPR 679/16, namely:
  1. a) The purposes of the processing;
    b) The categories of personal data processed;
    c) The recipients or categories of recipients to whom the personal data have been or will be communicated, particularly if they are recipients in third countries or international organizations;
    d) When possible, the retention period for personal data, or if not possible, the criteria used to determine such a period;
    g) If the data has not been collected from third parties, all available information on its origin.
  • The right to obtain the rectification of inaccurate personal data without undue delay. Taking into account the purposes of the processing, you also have the right to obtain the completion of incomplete personal data, possibly by providing an additional declaration (Article 16 GDPR 679/16);
  • The right to obtain the erasure of personal data concerning you without undue delay if one of the reasons set out in Article 17, paragraph 1 of GDPR 679/16 applies;
  • The right to object to the processing and/or obtain the restriction of processing when one of the conditions outlined in Article 18, paragraph 1 of GDPR 679/16 applies;
  • The right to lodge a complaint with a supervisory authority, in Italy, the Garante for the Protection of Personal Data, according to the procedures on the institutional website www.garanteprivacy.it;
  • The right to data portability within the limits and ways provided by Article 20 of GDPR 679/16;
  • The right to object at any time, for reasons related to your particular situation, to the processing of personal data in the cases and manners set out in Article 21 of GDPR 679/16;
  • The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or significantly affects you in a similar manner (Article 22 GDPR 679/16). This does not apply to decisions that are necessary for the conclusion or performance of a contract between you and the data controller; that are authorized by European Union or Member State law to which the Data Controller is subject (Italy, in this case); that are based on the explicit consent of the data subject.

The above-mentioned rights can be exercised by sending a request to the Data Controller, including through an authorized representative, to which appropriate feedback will be provided without delay. The request to the Data Controller, even through an authorized processor, must be sent by registered letter or email, including certified email.

In case of receiving the request via email, the recipient will promptly provide you with an acknowledgment of receipt and handling of the request.

It should be noted that the rights mentioned above may be subject to limitations, pursuant to Article 23 of GDPR 679/16 and Article 2 duodecies of the Privacy Code (Legislative Decree no. 196/2003), for reasons of justice (including judicial processing of business matters and disputes). In such cases, you can still exercise your rights through the Data Protection Authority in the manner provided for in Article 160 of the Privacy Code.

 

  1. CONTACTS


You may exercise the rights described above by writing to the company SAVIO S.P.A., with its legal office at Via Torino Strada Statale 25 n. 25 – 10050 CHIUSA DI SAN MICHELE (TO), or by sending an email to privacy@savio.it or a certified email (PEC) to hope57@legalmail.it.

 

Latest update: January 2025