NOTICE TO THE APPLICANTS
- Legislative decree n. 196 of 30.06.2003, Personal data protection code (hereinafter, Privacy Code);
- EU Reg. no. 679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the EU Regulation)
- Legislative decree n. 81 of 9 April 2008, Consolidated Law on Occupational Health and Safety (hereinafter, the Consolidated Law on Occupational Health and Safety );
-Regulation of Data Protection Authority of 15 December 2016 authorising the processing of sensitive data in employment relationships (hereinafter, the Authorising Regulation of the Data Protection Authority).
We would like to inform you that following receipt of your cv, in order to verify the possibility of transforming your application into a work/contractual relationship and in compliance with the provisions of art.13 of Legislative Decree N. 186 of 30.06.2003 (the “Privacy Code”) and of art. 13 of European Regulation n. 679 of 2016 (the “Privacy Regulation”), Keyline SpA, as potential employer/principal, shall collect and process your (as “Data subject”) data and, if necessary those of Your family members.
Please note that with reference to the selection activity, Keyline SpA, subject to your specific consent, may process personal data that the Privacy Code defines as “sensitive” and the Privacy Regulation as “special” in that they are liable to reveal, for example, a general state of health or specific conditions (e.g. physical problems, allergies, belonging to protected categories and degree of disability) which are relevant to the assessment of the suitability of the candidate for certain tasks, or to the possibility for the data subject of being hired because of their inclusion in a legally protected classification.
With the prior specific consent of the data subject, and again with regard to selection activities, the Data Controller may also acquire and process, besides the data subject’s personal data, one or more photographs to be attached to the information collected during the staff selection interview.
The Data Controller is Keyline SpA (hereinafter, the “Data Controller”), VAT n. 02359470263, with registered office in via Camillo Bianchi 2, 31015 Conegliano (TV), Fax 0438-202520, E-mail firstname.lastname@example.org, Tel. 0438-202511.
The updated list of any designated Data Processors can be provided at the request of the data subject.
If a Data Protection Officer is appointed (in compliance with art. 37 of the Privacy Regulation), their identification data shall be published as an integration hereof.
The Data Subject’s personal data are processed in the course of the Data Controller’s standard staff selection activities, to assess the possibility of transforming an application into an actual work/contractual relationship.
In relation to this purpose, the processing of personal data is carried out by persons specifically appointed, authorized and instructed to the processing in accordance with art. 30 of the Privacy Code and Articles 28 and 29 of the Privacy Regulation, as well as through external parties (for example, personnel selection companies, external consultants for the processing of pay and contribution data, etc..), which may be autonomous Data Controllers or be designated in writing as Data Processors; in any case, the processing will be carried out using manual, computer and telematic tools, using a logic that is strictly connected with the purpose of processing and always in such a way as to ensure confidentiality and the security of the processed personal data, in full compliance with the legislation from time to time in force.
The Data Subject’s data shall be retained by the Data Controller for the period detailed in paragraph 7, or in any case for no longer than strictly necessary for the purpose mentioned above, without prejudice for the need to retain them for a longer period in compliance with the legislation, including the accounting legislation, from time to time in force.
The data shall be processed in Italy and, in any case, inside the EU.
With reference to the abovementioned purposes, the provision of personal data is mandatory, as the absence of data would make it impossible to verify the possibility of creating an actual work/contractual relationship with the data subject. The lawfulness of the processing, therefore, derives from the need to assess the possibility of creating an actual work/contractual relationship in which the data subject is a party and upon request by the same (in compliance with art. 6 par. 1 lett. b) of the Privacy Regulation).
With reference to the processing of personal data that the Privacy Code defines as “sensitive” and the Privacy Regulation as “special” in that they are liable to reveal, for example, a general state of health or specific conditions (e.g. physical problems, allergies, belonging to protected categories and degree of disability) which are relevant to the assessment of the suitability of the candidate for certain tasks, or to the possibility for the data subject of being hired because of their inclusion in a legally protected classification, their disclosure is discretionary, but a failure to provide them and the relevant consent to the processing entail the impossibility of being chosen for said tasks or as members of legally protected categories of subjects.
With regard to the abovementioned processing purposes, and within the strict scope of the same, the Data Subject’s data shall or may be disclosed, in Italy or within the EU, to:
(i) all subjects involved, for whatever reason, in recruiting activities aimed at the creation of a work/contractual relationship, duly appointed and instructed in writing by the Data Controller in compliance with the law and according to the procedures laid down in the company’s job descriptions;
(ii) external consultants called to perform said activities, if not appointed in writing as Data Processors.
The abovementioned subjects to whom the data subject’s personal data shall or may be communicated, not being appointed as Data Processors in writing, shall operate in the capacity of data controllers in their own right under the Privacy Code, with full autonomy, not being involved in the processing performed by Keyline SpA. A detailed and constantly updated list of such subjects, including their respective head offices, is always available in the Keyline SpA headquarters.
Personal data shall not be disseminated.
Article 7 of the Privacy Code and articles 15 and following of the Privacy Regulation state that the Data Subject has the right to obtain, with the modes described in articles 8 and 9 of the Privacy Code and art. 12 of EU Regulation 679/2016:
The data subject shall also have the right:
To receive the detailed and constantly updated list of subjects to whom the personal data of the Data Subject may be communicated, and to exercise the rights under art. 7 of the Privacy Code and articles 15 and following of the Privacy Regulation, the Data Subject can apply to Keyline SpA as Data Controller.
Data processing shall be performed in compliance with the provisions of articles 11 and following and 31 and following of the Privacy Code and by adopting the minimum security measures provided for in the technical specifications (Annex B to the Privacy Code) until 24 May 2018 and, from 25 May 2018, also by adopting appropriate technical and organisational measures to ensure a suitable level of security, in compliance with the provisions of articles 5 and following and 32 and following of the Privacy Regulation, as well as with the relevant Regulations of the Data Protection Authority.
On this point, it is hereby confirmed that all appropriate security measures for the prevention of unauthorised access, theft, dissemination, amendment or unauthorised destruction of the Data Subject’s personal data.
In compliance with art. 11 lett. e) of the Privacy Code and art. 5 lett. e) of the Privacy Regulation, personal data shall be kept for no longer than is necessary for the purposes mentioned above and, in any case, for no longer than 36 months.
“Art. 7.Right to Access Personal Data and Other Rights.
1.A data subject shall have the right to obtain confirmation as to whether or not personal data concerning him exist, regardless of their being already recorded, and communication of such data in intelligible form.
2.A data subject shall have the right to be informed:
a) of the source of the personal data;
b) of the purposes and methods of the processing;
c) of the logic applied to the processing, if the latter is carried out with the help of electronic means;
d) of the identification data concerning data controller, data processors and the representative designated as per Section 5(2);
e) of the entities or categories of entity to whom or which the personal data may be communicated and who or which may get to know said data in their capacity as designated representative(s) in the State’s territory, data processor(s) or person(s) in charge of the processing.
3.A data subject shall have the right to obtain:
a) updating, rectification or, where interested therein, integration of the data;
b) erasure, anonymization or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;
c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected.
4.A data subject shall have the right to object, in whole or in part:
a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;
b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys.”