NOTICE GDPR ex art. 13-14 of EU Reg. 2016/679
(European Data Protection Regulation)
RESUMES AND STAFF SELECTION
This Notice is provided pursuant to Article 13 of EU Regulation 2016/679 - "European Data Protection Regulation".
The undersigned company recognizes as primary value the protection of personal data and has consequently adopted policies that provide full compliance with internal and international regulations on the matter.
In compliance with the provisions of EU Reg. 2016/679, this Notice provides necessary information regarding the processing of data supplied by you, and describes theprocessing of personal data carried out by Design 2000 International S.p.A.
We therefore invite you to read this Notice carefully and to provide your consent to the collection, storage, use, transfer and disclosure, from our part, of your personal information, as described in this Notice.
Where required by EU Reg. 2016/679 and / or by Italian law, the user's consent will be requested before proceeding with the processing of his/her personal data.
If the user provides personal data of third parties, he/she must ensure that the communication of data to the Company and the subsequent processing for the purposes specified in the applicable privacy notice is compliant with EU Reg. 2016/679 and applicable legislation.
2) Data Controller
Design 2000 International S.p.A. represented by legal representative pro-tempore, with headquarters in via Maria Adelaide, 8 – 00196 Roma, e-mail: firstname.lastname@example.org
3) Location of data processing
Processing related to web / digital / paper services takes place at the aforesaid location and is carried out only by personnel formally authorized to process data. The data relating to the provision of the web service will be processed at the web service provider's web farm. No data deriving from the web service is communicated or diffused, unless when mandatory for correct fulfillment of legal and contractual obligations.
Normally user’s data will not be transferred outside the European Union.
In case this becomes necessary, we make sure that the recipient, acting as data controller, complies with the provisions of the GDPR, including the specific regulation for the transfer of personal data to third countries, ensuring that such transfers are made on the basis of an adequacy decision or signing by data controller of typical contractual clauses related to data protection approved by the European Commission.
All information on the transfer of personal data to third countries can be requested by contacting the DPO at the address indicated in paragraph 2 above.
4) Kinds of data processed
Data supplied by the user:
The processing of the personal data supplied by you, of a particular and/or judicial nature, is carried out in compliance with the current legislation on the subject. The company may also collect personal data of the user from third parties, if such data are necessary to carry out its activities and to fulfill contractual and legal obligations, such as for example elaboration and payment of remuneration and/or entitlements, for the performance of all the practices foreseen by the regulations in force regarding Safety at work, Privacy and environment; for the fulfillment of legal and contractual obligations, also collective, related to the employment and/or collaboration relationship. The data shall be processed in accordance with the principles of correctness, lawfulness, transparency and protection of your confidentiality and your rights.
In relation to the employment and/or collaboration relationship, Data Controller can treat data that the GDPR defines as "particular" as they are suitable for detecting for example:
a) a general state of health (absences due to sickness, maternity, accident), aptitude for certain tasks (as an example, expressed by medical staff as a result of preventive/periodic medical examinations or requests by yourself );
b) Membership of a trade union (assumption of charges and/or request for deductions for shares of trade union), adherence to a political party or title of public office (permits or expectations), religious convictions (religious holidays accessible by Law);
c) data related to the state of health treated by the competent physician in carrying out the tasks provided for in Legislative Decree 81/08 and other hygiene and safety provisions in the workplace, for the purpose of conducting preventive and periodical medical investigations, will be processed at the employer’s premises exclusively by the same doctor as the autonomous data controller and/or responsible for data processing, for which the company requests express consent. The doctor shall communicate to the employer exclusively assessments on professional inadequacy.
d) data necessary to take advantage of certain treatments under specific regulations (E.G. law 104/92.
All these data are processed for the time strictly necessary to meet contractual and legal obligations, and on the basis of the provisions of applicable legislation including the specific one.
5) Nature of data providing.
Providing personal data is obligatory for all that is required by legal and contractual obligations and therefore any refusal to supply them in whole or in part can give rise to the impossibility for the company to execute the contract or to carry out all the fulfilments, such as those of an administrative, fiscal and insurance nature, etc., linked to the establishment of employment and/or cooperation relationship.
In other cases provision of data is optional
6) Purposes and methods of data processing
Personal data and particular/judicial ones if any, voluntarily provided, shall be processed by data controller for the correct management of staff selection and/or for the establishment of the contractual relationship.
All personal data are processed for the purposes for which they are collected, and in any case in accordance to contractual and legal obligations. They are processed by persons formally authorized to process data with both paper and electronic means, where possible anonymously or using pseudonymisation and through encryption when required and / or necessary (e.g. health data). Personal data are processed both in paper and electronic form and placed in company information system in full compliance with the EU Reg. 2016/679, including security and confidentiality profiles and based on the principles of correctness and lawfulness of processing.Specific security measures are observed to prevent data loss, their illicit or incorrect use or unauthorized access.
The user's data will be processed on the basis of a legitimate interest of data Controller, i.e. the consent expressly declared by the user, for the fulfillment of contractual obligations and for safety and health protection of the employees/ collaborators.
7) Storage of personal data
In compliance with EU Reg. 2016/679 Personal data are stored and kept for the time strictly necessary for the aims and specific purposes for which they are collected and in any case for the period of time necessary to meet contractual and legal obligations. Once the needs of the treatment are ceased, the data shall be canceled and / or destroyed or returned to the interested party in the cases provided for by the law.
8) Communication and / or distribution of data
Personal data normally shall not be diffused, and will be communicated to:
- public bodies (INPS, INAIL, Labour inspectorate, tax offices...);
- social security funds including private ones;
- medical offices in fulfillment of obligations in the field of hygiene and work safety;
- insurance Companies and Credit institutions;
- supplementary funds;
- business associations to which the company adheres.
- all rights holders whose right of access is provided for in compliance with contractual and legal obligations;
- external companies/ Consultants specialised in staff selection/evaluation
- natural and / or juridical persons, public and / or private, when the communication is necessary or functional to the performance of the activities being processed, and in a way and for purposes described above, and in any case in compliance with legal and contractual provisions;
- data controllers, also outsourcers, and to persons authorized to data processing within their related tasks;
- external providers such as couriers, shipping services, etc .;
- counterparties, authorities etc .: during legal and / or administrative procedure
All data processing are handled exclusively by Managers and persons formally in charge.
9) Rights of data subjects
In compliance with the provisions of Chapter III, Section I of GDPR, the interested party may exercise the rights indicated therein, and in particular:- The Right of Access (Article 15 of the GDPR), which consists in obtaining confirmation that the processing of your personal data is ongoing, and receiving, in this case, information concerning:
o purposes of the processing;
o categories of personal data concerned;
o recipients or categories of recipients to whom personal data have been or will be communicated, in particular if they are from third countries or international organizations;
o period of storage of personal data or, if not possible, the criteria used to determine such period;
o existence of the right of the data subject to request the data controller to rectify or delete personal data or limit the processing of his/her personal data or to oppose to their treatment;
o the right to lodge a complaint with a supervisory authority;
o the existence of an automated decision-making process, including profiling and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the data subject
- Right of rectification (Article 16 of the GDPR) - which consists in obtaining, without undue delay, the correction of inaccurate personal data concerning you, and integration of incomplete personal data, also by providing an additional declaration
- Right to cancellation (art.17 GDPR) ("right to be forgotten") - which consists in obtaining, without undue delay, the cancellation of personal data concerning you, if there is one of the following reasons:
o personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
o the interested party revokes the consent on which the processing is based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and if there is no other legal basis for the processing;
o the interested party opposes to the processing pursuant to Article 21 (1), and there is no overriding legitimate reason to proceed with the processing, or opposes to the processing pursuant to Article 21 (2);
o personal data have been processed unlawfully;
o personal data must be deleted to fulfill a legal obligation under European Union law or the law of the Member State to which the data controller is subject;
o personal data have been collected with regard to the offer of services of information society referred to in Article 8, paragraph 1 of EU Reg. 2016/679
- Right of limitation (Article 18 GDPR) - which consists in obtaining the limitation of data treatment, when one of the following cases occurs:
o the interested party contests the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
o the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
o although data controller no longer needs data for processing purposes, personal data are necessary for the data subject to ascertain, exercise or defend a right in court;
o the interested party has opposed to data processing pursuant to article 21, paragraph 1, EU Reg. 2016/679 expecting verification of possible prevalence of the legitimate reasons of data controller with respect to those of the interested party- Right to data portability (Article 20 of the GDPR) - The data subject has the right to receive, in a structured commonly used and machine-readable form, personal data concerning him / her provided to a data controller, and he / she has the right to transmit this data to another data controller without impediment by the data controller. - Opposition right (Article 21 GDPR) - The interested party has the right to object at any time, for reasons connected with his particular situation, to the processing of his personal data pursuant to Article 6 (1) e) o f), including profiling, on the basis of these provisions. The data controller refrains from further processing personal data unless he demonstrates the existence of binding legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the data subject, or for the assessment, exercise or the defense of a right in court. - If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him / her for such purposes, including profiling, in so far as it is related to such direct marketing. - If the data subject opposes to data processing for direct marketing purposes, personal data will no longer be processed for these purposes - The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information at the time of the first communication with the data subject at the latest. - In the context of the use of information society services and without prejudice to Directive 2002/58 / EC, data subjects may exercise their right to object by automated means using specific techniques - In case personal data are processed for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89 (1), the data subject shall have the right to object to the processing of personal data for reasons connected with his/her particular situation, unless the processing is necessary for the performance of a task of public interest - Automated decision-making process concerning natural persons, including profiling (Article 22 GDPR) - The data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects affecting him / her, or similarly significantly affects his person. - Right to propose a complaint to the supervisory authority - Propose a complaint to Garante per la protezione dei dati personali, Piazza di Montecitorio n. 121, 00186, Roma (RM). - EXERCISE OF THE RIGHTS OF THE INTERESTED PARTY
The interested party may exercise his / her rights through a written communication to be sent by e-mail, PEC, registered letter r / r, fax, to the addresses indicated in paragraph 2 - Data Controller.
The exercise of rights as an interested party is free, under Article 12, GDPR
10) Withdrawal of consent for processingThe interested party may withdraw the consent for the processing of his/her personal data at any time by sending a communication, as indicated in point 9 - Exercise of the rights of the data subject. DECLARATION OF CONSENT
(In accordance with EU Regulation 2016/679)
The interested party declares to have received complete information in accordance with EU Regulation 2016/679 and expresses consent to the processing of personal data for the provision of the Services and the communication of his/her personal data as qualified by the aforementioned law, for the purposes and for the duration specified in the notice.