Privacy Candidates and HR selection
Policy pursuant to and for the purposes of Article 13 of Regulation (EU) 2016/679 (GDPR)
| 1. WHO IS THE DATA CONTROLLER? HOW TO CONTACT THE DATA CONTROLLER? The Data Controller is COSTRUZIONI ELETTROTECNICHE CEAR S.R.L., with registered office at Via Monza 102 – 20060 Gessate (MI), in the person of its Legal Representative pro-tempore, who may be contacted for any information by calling +39 02 9292901 or by emailing hr@cearsitemi.it. |
| 2. PRINCIPAL DEFINITIONS It is recalled that Article 4 of the GDPR provides the following definitions: – Personal Data – any information regarding an identified or identifiable natural person (“Data Subject”), with a natural person is considered identifiable if they can be directly or indirectly identified with particular reference to an identifier such as a name, an identification number, data related to their place of dwelling, an online identifier or one or more elements characteristic of their physical, physiological, genetic, psychic, financial, cultural or social identity. – Special Category Data (see Article 9 of the GDPR):personal data capable of revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or genetic data and biometric data for the purpose of uniquely identifying a natural person, data concerning health or a natural person’s sex life or sexual orientation. – Data relating to criminal convictions and offences or relative security measures (see Article 10 GDPR), as personal data capable of revealing measures referred to in Article 3(1)(a) to (o) and (r) to (u), of Presidential Decree no. 313 dated 14th November 2002, in matters of criminal records, of the registry of administrative sanctions based on the offence and of the relative pending charges, or being a defendant or suspect pursuant to Articles 60 and 61 of the Italian Code of Criminal Procedure. |
3. PURPOSE OF THE PROCESSING, LEGAL BASIS, RETENTION PERIOD, NATURE OF THE DATA PROVISION
| PURPOSE OF PROCESSING | LEGAL BASIS | DATA RETENTION PERIOD | NATURE OF DATA PROVISION | |
| A) | Selection of personnel, carrying out research on and the selection of personnel for the purpose of the possible establishment of an employment relationship, also for any positions differing from those for which the Data Subject has spontaneously applied; storage of personal data also for future selections; management of applications in response to job offers published on the organisation’s website; in-person or video interviews (data processing, including image/audio). | The data processing is necessary for the execution of pre-contractual measures adopted also at the request of the Data Subject. Article 6(1)(b) of the GDPR. For the processing of Special Category Data, General authorisation no. 1/2016 of the Data Protection Authority and applicable legislation on compulsory recruitment. | In principle, the data collected during the recruitment process will be deleted as soon as it is evident that no job offer will be made or that the offer will not be accepted by the candidate. In any case, the maximum retention period is 24 months. | Providing the personal data is necessary to process the data for the selection process. Failure to provide the necessary personal data shall render it impossible to apply. |
| B) | Preventing and conducting disputes and other legal matters and for defence in court. | The processing is necessary for the pursuance of the legitimate interests of the Data Controller or third parties, on condition that they do not impinge on the interests or rights and fundamental freedoms of the Data Subject, requiring the protection of the Personal Data (C47-C50). Article 6(1)(f) of the GDPR. | 10 years, unless opposed and without prejudice to the time necessary for defence in court. | The provision of personal data is required. Failure to provide the data shall prevent the achievement of the legitimate interest of the Data Controller indicated in the purposes of this point. The refusal must be balanced with the legitimate interest of the Data Controller indicated in the purposes of this point. |
| C) | Management of requests regarding the protection of personal data and requests from other Data Subjects, pursuant to Articles 15 and following of the GDPR (Rights of the Data Subject). | The processing is necessary for compliance with a legal obligation to which the controller is subject (C45). Article 1(c) of the GDPR. | 5 years from the closure of the request, except in the event of litigation. | The provision of personal data is mandatory, as it is essential to be able to execute the obligations of the Law. |
| D) | In the context of candidate selection activities, the Data Controller may view the candidate’s publicly-accessible social media profiles on social media networks. The Data Controller may collect and process the personal data of the candidate to the extent that such collection is necessary and relevant for execution of the work. To this end, candidates may be asked to provide information about their profile details on social media networks. | The processing is necessary for the pursuance of the legitimate interests of the Data Controller or third parties, on condition that they do not impinge on the interests or rights and fundamental freedoms of the Data Subject, requiring the protection of the Personal Data (C47-C50). Article 6(1)(f) of the GDPR. | In principle, the data collected during the recruitment process will be deleted as soon as it is evident that no job offer will be made or that the offer will not be accepted by the candidate. In any case, the maximum retention period is 24 months. | The provision of personal data is optional. Failure to provide the data shall prevent the achievement of the legitimate interest of the Data Controller indicated in the purposes of this point. The refusal must be balanced with the legitimate interest of the Data Controller indicated in the purposes of this point. |
| E) | In the context of personnel selection activities, verification of references and assessment of the Curriculum Vitae. Verification activities will be carried out: – At the training/educational institutes declared by the candidate and will concern, among other things, the years attended and the degree/diploma received; – Through former employers and will concern, among other things, the position held and the correspondence of the period of employment with that declared by the candidate. This purpose shall also be pursued by contacting the persons possibly indicated/listed by the candidate as references. | The processing is based on consent to the processing of personal data (C42, C43). Article 6(1)(a) of the GDPR. | In principle, the data collected during the recruitment process will be deleted as soon as it is evident that no job offer will be made or that the offer will not be accepted by the candidate and within a maximum of 24 months. | Providing the personal data is optional. Failure to provide the personal data shall not render it impossible to be selected. |
| 4. TO WHOM WILL PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS The data will not be disseminated. Personal data will be communicated to subjects who shall process the data as autonomous Data Controllers or Data Processors (Article 28 GDPR) and will be processed by natural persons (Article 29 GDPR) acting under the authority of the Data Controller and Data Processors on the basis of specific instructions provided regarding the purposes and methods of processing. The data will be communicated to recipients belonging to the categories of: – Subjects based in Italy who manage/support/assist, even only occasionally, the Data Controller in the administration of the Information System and telecommunications networks (including email, websites and/or web platforms, apps, badges and attendance tools); – Firms or companies based in Italy providing assistance, consultancy and selection regarding personnel; – In the event of consent for references, third parties such as universities and educational institutes, former employers; – Competent authorities for fulfilment of legal obligations and/or provisions of public bodies, on request. The list of Data Processors per Article 28 is available by calling +39 02 9292901 or contacting the other addresses indicated above. |
| 5. IS DATA TRANSFERRED TO COUNTRIES OUTSIDE THE EEA? Personal data will not be transferred to non-EEA countries. In particular, it should be noted that the data will be stored in Italy and that the data recipients are based in Italy. |
| 6. IS THERE ANY AUTOMATED PROCESSING? Personal data will be subject to traditional manual, electronic and automated processing. It is noted that fully-automated decision-making processes are not conducted. |
| 7. RIGHTS OF DATA SUBJECTS Data Subjects may assert their rights as expressed in Articles 15 et seq. of the GDPR, by contacting the Data Controller via the email address hr@cearsitemi.it or by writing to the contacts indicated above. The Data Controller guarantees Data Subjects the possibility of requesting, at any time, access to (Article 15), correction of (Article 16) and erasure of (Article 17) their personal data, along with the limitation of processing (Article 18). The Data Controller then communicates (Article 19) to each of the recipients to whom the personal data has been transmitted regarding any corrections or erasures or limitations for the processing carried out. The Data Controller will inform the Data Subjects who request such recipients. The Data Controller guarantees the right to portability (Article 20) and, in the event of requests pursuant to Article 20, shall provide Data Subjects with the data in a structured, commonly-used and machine-readable format. Data Subjects have the right to oppose (Article 21), at any time, to the processing of data based on legitimate interest, by writing to the above contacts with the subject “Opposition”. If the right to object to the processing based on legitimate interest is exercised, the Data Controller acknowledges that the Data Subjects have the possibility to obtain upon request information on the balancing test carried out. The Data Subjects have the right to revoke any consent given, without prejudice to the lawfulness of the processing based on the consent given prior to revocation. If the Data Subjects consider that the processing of personal data carried out by the Data Controller is in violation of the provisions of Regulation (EU) 2016/679, they have the right to file a complaint with the National Supervisory Authority, in particular in the Member State in which they usually reside or work, or in the place where the alleged violation of the Regulation has occurred (Supervisory Authority – Privacy – https://www.garanteprivacy.it/), or to bring about the appropriate legal proceedings. |
| 8. POLICY CHANGES The Data Controller may change, modify, add or remove any part of this Privacy Policy.In order to facilitate the verification of any changes, the Policy shall contain details regarding the date of updates to the Policy itself. |
Updated on: 06.05.2025
