CANDIDATES’ PERSONAL DATA

PRIVACY NOTICE FOR THE PROCESSING OF CANDIDATES’ PERSONAL DATA

Pursuant to and for the purposes of Articles 13 and 14 of EU Regulation 2016/679 (hereinafter “GDPR”) on the protection of natural persons with regard to the processing of personal data, the Company IG OPERATION AND MAINTENANCE S.p.A., with registered office in Pomezia, via Campobello, no. 1, 00071 (hereinafter “Controller”), acting as Data Controller, hereby informs you that the personal data collected in the context of the selection process will be processed in accordance with the above-mentioned legislation.

The Controller may be contacted at the following address: legal@igomspa.it.

The Controller has appointed a Data Protection Officer (hereinafter also “DPO”), who may be contacted at the following address: privacy@igomspa.it.

1. Subject matter of processing

The Controller processes your personal data, including: so-called identifying data (first name, last name, place and date of birth, tax identification number), so-called contact data (e-mail address, telephone number, residence address), as well as any other data that could potentially be included in a curriculum vitae.

In the event that the selection process is successful, the Controller will process the personal data contained in the documents of which it requests a copy during the selection process, such as images (ID document, educational qualifications, training course certificates).

In cases where the selection process is successful and the candidate is selected to carry out activities at the premises of the Controller’s Clients, data necessary to obtain authorisation to access the Client’s areas will be collected. In particular, the following data will be sent to the Client: personal and residential data, the role to be performed, the workplace and project to which the candidate is assigned, the start date of the employment, a copy of the ID document and residence permit for non-EU citizens.

In the event of a refusal of access by the Client, the Controller will not be informed of the reasons that led the Client to deny access.

2. Purposes and legal bases of processing

Your personal data are processed in order to evaluate and select potential candidates, to conduct selection interviews, and to obtain authorisation to carry out activities at the Client’s premises. The processing of data is therefore necessary for the management of pre-contractual activities requested by the Data Subject; accordingly, the legal basis is to be found in Article 6(1)(b) GDPR.

In pursuing the aforementioned purposes, the Controller may become aware of special categories of personal data, specifically: racial or ethnic origins, membership of protected categories. The legal basis for the processing of such types of personal data lies in Article 9(2)(f) GDPR, given that the processing is necessary to fulfil the obligations and exercise the specific rights of the Controller or the Data Subject in the field of employment law and social security and protection.

3. Nature of the data

The provision of your personal data referred to in the preceding paragraph is optional; however, failure to provide such data may result in the Company being unable to properly assess your profile, manage your application, or conclude the employment contract in cases where it is necessary to obtain authorisation to access the Client’s premises.

4. Methods of processing

The processing of your data will be conducted in accordance with the principles of fairness, lawfulness and transparency, and may also be carried out through automated methods suitable for storing, managing and transmitting data. Processing will be carried out using appropriate tools that, to the extent reasonably possible and in accordance with the current state of technology, ensure security and confidentiality through the use of appropriate procedures designed to prevent the risk of loss, unauthorised access, unlawful use and disclosure.

Your personal data is subject to both paper-based and electronic processing.

All processing is carried out in compliance with the methods set out in Article 32 GDPR and through the adoption of appropriate security measures.

5. Data retention period

The Controller will process personal data for the time necessary to fulfil the purposes set out above and, in any event, for a period not exceeding 12 months from receipt of the application. Should the selection process be successful, your data will be retained as an employee of the Controller, that is, for ten years from the termination of the employment relationship.

The request for authorisation to access the Client’s premises, together with the relevant documents and information, will be retained for up to ten years from the granting or refusal of authorisation.

6. Disclosure and communication

The personal data processed by the Controller will not be disseminated, i.e. will not be made known to unidentified parties, in any possible form, including by making them available or allowing mere consultation.

Your data may be communicated to service providers (e.g. IT system providers, cloud service providers, database providers) duly appointed as Data Processors.

The updated list of Data Processors is available at the Controller’s registered office and will be provided upon written request to the address: legal@igomspa.it.

In addition, based on the roles and tasks performed, certain employees have been lawfully authorised to process your personal data, within the limits of their competence and in accordance with the instructions given to them by the Controller.

Only for candidates selected to begin their probationary period, the personal data referred to in point 1 will be sent to the Client to obtain authorisation to access its premises (where required for the specific role and function).

7. Transfer outside the European Union

The management and storage of personal data will take place on servers located within the European Union, belonging to the Controller and/or to third-party companies duly appointed as Data Processors.

Data will not be transferred outside the European Union. It is in any case understood that the Controller, where necessary, reserves the right to relocate servers to Italy and/or the European Union and/or non-EU countries. In such cases, the Controller hereby ensures that any transfer of data outside the EU will take place in compliance with the conditions set out in Chapter V of the GDPR.

8. Rights of the Data Subject

In your capacity as Data Subject, you are entitled to exercise the rights set out in Articles 15 et seq. of the GDPR 2016/679, namely:

• the right to request from the Controller access to your personal data, i.e. confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to such data (Art. 15);
• the right to request from the Controller the rectification and/or completion of inaccurate personal data concerning you (Art. 16);
• the right to request from the Controller the erasure of such data without undue delay (Art. 17);
• the right to request from the Controller the restriction of processing concerning you (Art. 18);
• the right to obtain confirmation that the operations referred to in points (b), (c) and (d) above have been brought to the attention of those to whom the data have been communicated or disclosed, including with regard to their content, except where this proves impossible or involves a disproportionate effort in relation to the right protected (Art. 19);
• the right to data portability, i.e. to receive your personal data in a structured, commonly used and machine-readable format (Art. 20);
• the right with regard to automated decision-making processes, i.e. the right not to be subject to a decision based solely on automated processing of your data without your explicit consent (Art. 22);
• the right to lodge a complaint with the supervisory authority (Art. 77), i.e. the right to apply to the Authority where you consider that the processing concerning you infringes the Regulation.

The aforementioned rights may be exercised by sending a registered letter with acknowledgement of receipt to Via Campobello, 1 – 00071 – Pomezia (Roma), or by writing to the following e-mail address: privacy@igomspa.it.

The Data Controller

IG OPERATION AND MAINTENANCE S.p.A.