Personal Data Privacy Notice

Introduction

This Privacy Notice regarding the processing of personal data (hereafter the “Notice”) is issued in conformity to article 13 of EU Regulation 679/2016 (General Data Protection Regulation – hereinafter the “GDPR”).

This Notice describes in detail how and for what purposes your personal data are processed during the personnel selection processes performed by IFFCO ITALIA S.r.l.

  1. Data Controller
The Controller of your personal data is IFFCO ITALIA S.r.l. a socio unico, with registered office at Milan (Italy), via Volterra n. 9, VAT number 09099270960 (hereinafter the “Controller”) and operational offices in Milan, Viale Sarca n. 235 and Marcianise (CE), Contrada Casale Zona Industriale.

If you have any questions or requests, or if you require clarifications regarding this Notice in particular, or the processing of your personal data in general, you may contact the Controller in the following ways:

  • by sending an e-mail (entering “Privacy” as subject) to: iffco@ifortech.com;
  • by writing to the Controller.
  1. Categories of data processed

The Controller processes the following categories of personal data:

  1. data that identify you as Data Subject (for example: name, surname, birth date, fiscal code, address) and contact data (email address, telephone number) that you have provided with your Curriculum Vitae and/or by form, email or other means;
  2. personal data regarding your studies and preparation, your abilities and previous job activities, as well as data published on professional social networks such as LinkedIn;
  3. personal data acquired during the selection processes performed by the Controller, as well as through tests and interviews.

The above personal data have been submitted directly by the Client or communicated by the local Agent that acts for the Controller.

  1. Special categories of personal data processed (artt. 9 and 10 GDPR)
Personal data pertaining to special categories might be processed, as:

  1. data related to your health (such as certifications of good health, disabilities, adequacy to cover certain roles or tasks, etc.);
  2. data related to previous criminal offences (only where required by law).
  1. Consequences of not submitting your personal data

Processing of the personal data described above, Sections B) and C), is necessary to allow the Controller to perform the selection processes in order to hire you, or to fulfil its legal obligations; therefore you have the obligation to hand over the data. Without such data, it may not be possible to enact and perform the contractual relationship with you, or to put you in special categories or assign you some tasks.

  1. Purpose and basis in law of processing
Your personal data will be processed for the following purposes and on the following law basis.

Purpose

Legal basis

Allow you to take part in the selection process

Processing is necessary in order to take steps prior to entering a contract (art. 6(i)(b) GDPR).

Processing is necessary for work-related medical examination (art. 9(2)(h) GDPR).

Gather supplemental data on your professional profile, also by consulting professional social network profiles

Processing for purposes related to the legitimate interests of the Controller (article 6(i)(f) of the GDPR)

To allow the Controller to respond to your requests in accordance with relevant legislation and to exercise or defend his rights in or outside courts of law, and in the context of any claims or controversies (whether initiated by you, the Controller, third parties or legal or administrative authorities)

Processing for purposes related to the legitimate interests of the Controller (article 6(i)(f) of the GDPR)

  1. Categories of recipients to whom processed data are disclosed

To fulfil the purposes stated above, your personal data may also be processed by third parties, i.e. parties other than the Controller. Such parties will process your personal data on behalf of the Controller, acting as properly designated and contracted Processors according to article 28 of the GDPR.

In particular, your personal data will be processed by:

  1. suppliers of professional selection or work services, including third parties involved in the evaluation of personnel candidates;
  2. entities that are part of Controller’s group of companies, that control or are controlled by the latter, in order to fulfil the obligations provided by the Contract.

If you wish to know the identity of all the parties to whom your personal data are disclosed, contact the Controller at the addresses given above.

  1. Transfer of your personal data outside the European Economic Area

Personal data shall be transferred outside the European Economic Area only in conformity to applicable legislation and, in particular to the safeguards established for the transfer of personal data to countries outside the EU that do not offer an adequate level of protection (e.g. Privacy Shield in the case of the USA) and/or based on the Standard Contractual Clauses or Binding Corporate Rules, as it may be the case.

The Data Controller will provide, upon simple request, detailed information about the methods of transferring data to third countries, any appropriate or appropriate guarantees and the means to obtain a copy of such data or the place in which have been made available.

  1. Period for which personal data are stored

Your personal data will be stored for the following periods for 3 years after the position has been filled.

At the end of the above-mentioned conservation periods, data will be deleted or rendered anonymous for the Controller. In case of processing for legitimate interests of the Controller (i.e. protection of rights), such data will be retained until expiration of those needs.

  1. Processing of personal data using automated decision-making systems
Operations involving the processing of your personal data using automated decision-making systems (including profiling as defined in article 22, sections 1 and 4 of the GDPR) are not foreseen.
  1. Your rights regarding the processing of your personal data

You have the right to ask the Controller for access to your personal data, as established in article 15 of the GDPR.

By exercising the right to access, you also have the right to be informed of:

  • the purpose of processing;
  • the categories of data processed;
  • the recipients or categories of recipient to whom your personal data have been or will be disclosed, especially in the case of recipients in countries outside the EU or belonging to international organisations;
  • if possible, the period for which personal data are stored, or if not possible, the criteria used to determine such a period;
  • the existence of your right to ask the Controller to rectify or erase your personal data or to restrict or object to the processing thereof;
  • your right to lodge a complaint with the supervisory authority;
  • the source of your personal data if such data were not collected from you personally;
  • the existence of an automated decision-making system, including profiling, as defined in article 22, sections 1 and 4 of the GDPR and, if such a system exists, the logic applied, and the significance and consequences processing may have for you.

You also have the following rights:

  1. the right to obtain from the Controller the rectification of incorrect personal data or the completion of incomplete personal data, as established in article 16 of the GDPR;
  2. the right to obtain from the Controller the erasure of your personal data, as established in article 17 of the GDPR. The Controller may not guarantee the exercise of this right (or may only satisfy requests in part) if the processing of the personal data to which the request to erase applies is required to fulfil legal obligations or to establish, exercise or defend a right in a court of law;
  3. the right to obtain from the Controller the restriction of processing, as established in article 18 of the GDPR;
  4. the right to object to the processing of your personal data, as established in article 21 of the GDPR, unless the Controller, on receiving notice to this effect, can demonstrate the existence of legitimate and valid reasons for processing that prevail over your interests, rights and freedoms, or unless processing is required to establish, exercise of defend a right in a court of law.

All requests involving the above rights must be sent to the addresses of the Controller given in section A). The Controller shall respond to requests without unjustified delay.

If you receive no response, a refusal or a late or unsatisfactory reply to your requests, or if you believe that the Controller is processing your personal data in an unlawful or non-transparent manner, you may also lodge a complaint with the supervisory authority.

If you are an Italian citizen, normally reside or work in Italy, or if you believe that a violation by the Controller regarding the processing of your personal data took place in Italy, you may contact the Italian Garante – www.garanteprivacy.it – to safeguard your rights.

If you are a citizen of another member state of the EU, normally reside or work in another member state of the EU, or if you believe that a violation by the Controller regarding the processing of your personal data took place in another member state of the EU, you should consult the website http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm for further information on the competent supervisory authority.

  1. Modifications and updates to this Notice

If this Notice is modified or updated, the Controller will take all reasonable measures to inform you of the changes (for example by contacting you at the addresses submitted by you).