Candidates Privacy Notice

Pursuant to the legislation applicable to protection of personal data (the “Privacy Legislation”), including EU Regulation 2016/679 (the “GDPR”), DATA4 Services S.A.S.U. (“DATA4“ or the “Company”, the “Data Controller”), as data controller, provides candidates (hereinafter the “Data Subjects” or the “Candidates” or, in the singular, the “Data Subject” or the “Candidate”) who have submitted their curriculum vitae (the “CV”) through the “Careers” portal available on the Company’s website (www.data4group.com), which will process their personal data contained in the CVs itself in compliance with the Privacy Legislation, in the modalities and for the purposes described in this privacy notice (the “Notice”).

1.      WHAT IS PERSONAL DATA?

Personal data is any information that makes a natural person to be identified or identifiable (whose identity can be determined directly or indirectly, in particular by means of an identifier).

2.      WHO IS THE DATA CONTROLLER?

The Data Controller is DATA4 Services S.A.S.U., with registered office in 6 rue de la Trémoille, 75008 Paris (FR), fiscal code no. FR35493254643, to be contacted at the following e-mail address: privacy@data4group.com. DATA4 is one of the companies of the DATA4 Group (the “DATA4 Group”).

3.      WHAT PERSONAL DATA WE PROCESS?

The Data Controller will process the following personal data provided through the Candidate’s registration on the portal dedicated to receive applications (“Careers”), as well as through the fill-in of the specific form and during the job interview:

Common data ·        identification and contact details, such as: name, address or other elements of personal identification; telephone number,e-mail address and image if CV contains photograph,

·        informations about educational and professional background, such as: education, professional experience, current company position or role, if any, last received salary, if any;

·        additional personal data that may be contained in the CV and in the cover letter trasmitted to the Company;

·        data allowing the link to the recruiting form, such as: user ID, connection data.
Special categories of personal data pursuant to Article 9 of the GDPR The Company does not process special categories of personal data (such as, for example, data revealing the health status or membership of a trade union association) which, if contained in the CV, will be immediately deleted by the Company itself.

Where the Candidate belongs to a legally protected status, he/she shall provide information suitable for revealing the health status, which will be processed in accordance with the provisions of Article 9 of the GDPR and, in general, the Privacy Legislation.

It should be noted that, where deemed necessary in relation to the specific role, additional information may be required in order to verify any conflict of interest that may arise in the context of the job activities.

4.      FOR WHAT PURPOSES, ON WHAT LEGAL BASIS, AND FOR HOW LONG DO WE PROCESS PERSONAL DATA?

The Data Controller informs Data Subjects that personal data collected by the Company through the recruiting portal and/or collected from correspondence with Candidates and/or through interviews will be processed, electronically and physically, for the following purposes (“Purposes”):

Purposes of the processing Legal basis of the processing Retention period Nature of the provision of personal data
a)      Recruitment and selection of the staff and/or management of applications received through the specific portal. Article 6(1)(b) of the GDPR:

performance of pre-contractual measures taken at the request of the Data Subject.

 Personal data will be retained for a limited period of time, strictly related to the Purpose for which they were collected and in accordance with applicable legal or regulatory obligations.

Specifically, Candidates’ personal data will be retained and processed for a period no longer than 24 months after their collection by the Data Controller (the “Retention Period”).

In the event of a call for a selection process that does not result in placement, the personal data of Candidates may be retained for a maximum period of 12months, solely for recruitment and selection purposes to other professional opportunities.

At the end of the Retention Period, Candidates’ personal data will be erased, unless there are further legitimate interests of the Data Controller and/or further legal obligations arising from the establishment of the employment relationship, if any, as well as further legal obligations that make it necessary, after minimization, to retain them.

 The provision of the personal data through the Candidate’s registration on the Company’s portal dedicated to recruitment and the fill-in of the specific form are not mandatory, but are necessary to carry out the selection process.

Failure to provide the above personal data, therefore, could lead to the impossibility, by the Company, to complete the selection process and, if any, the possible establishment of the employment relationship.

In any case, excluding the cases in which the selection process is dedicated to Candidates belonging to legally protected status, the Company invites all those who intend to submit their applications to not provide data parts of special category pursuant to the GDPR (such as, but not limited to, data relating to health status, political opinions, religious beliefs, judicial data or data revealing racial or ethnic origins).
b)      Evaluation of submitted applications as part of the selection processes of an individual belonging to a legally protected status. Article 6(1)(b) of the GDPR:

need to carry out the obligations and exercise specific rights of the Data Controller or of the Data Subject in the field of employment.
c)       Establishment, exercise or defense of legal claims in court. Article 6(1)(f) of the GDPR:

Data Controller’s legitimate interest relating to the right to defend and exercise its rights or third parties‘ rights.

If the legal basis for the processing is the legitimate interest of the Data Controller, the Company ensures that it has first carried out an assessment (“balancing test”) to ensure the proportionality of the processing, in order to ensure that its legitimate interest does not override the interests or the fundamental rights and freedoms of the Data Subjects, taking into account the reasonable expectations of the Data Subjects in relation to the specific processing activity carried out.

Data Subjects may request further information on the above assessment by sending an email to the following address: privacy@data4group.com

The Data Controllers informs the Data Subject that he/she will always have the right to object at any time for the processing of personal data carried out by the Company for its own legitimate interest.

In the event that the Company decides to process the personal data collected for any other purposes inconsistent with the Purposes for which the personal data were originally collected or authorized, the Company will inform the Data Subject in advance and the Data Controller will gather his/her consent for such processing activity, if needed.

5.      HOW WE PROCESS PERSONAL DATA?

In relation to the above-mentioned Purposes, the processing of personal data may consist in the activities indicated in Article 4(1)(2) of the GDPR, namely: collection, recording, organization, structuring, storage, retrieval, consultation, use, erasure and destruction of personal data.

Moreover, Data Subjects‘ personal data will be:

  • processed in accordance with the principles of lawfulness, fairness and transparency;
  • collected for the above-specified legitimate Purposes;
  • adequate, relevant and limited to what is necessary in relation to the Purposes for which they are processed;
  • kept in a form which permits identification of the Data Subject for no longer than is necessary for the Purposes for which the personal data are processed as specified in the above Section 3;
  • processed in a manner that ensures appropriate security of the personal data from the risks of destruction, loss, alteration, unauthorised disclosure or access through technical and organisational protection measures.

The processing may be carried out using manuals, computerized or technology tools, with logic strictly related to the Purposes and, in any case, with means that ensure compliance with the requirements and prescriptions of confidentiality and security, and with the specific obligations provided in the Privacy Legislation.

6.      TO WHOM WE COMMUNICATE PERSONAL DATA?

Candidates‘ personal data will be processed by the Company‘s employees and collaborators, specifically designated as authorized persons for the processing pursuant to the Article 29 of the GDPR, where necessary to carry out the Purposes set forth in the above Section 3 of this Notice.

Furthermore, the Company informs the Candidates that their personal data may be disclosed for carrying out the Purposes to additional recipients or categories of recipients, as autonomous data controllers or, if necessary, as data processors expressly selected and appointed by the Company, pursuant to the Article 28 of the GDPR, such as:

  • DATA4 Group companies;
  • service providers for staff recruiting, selection and evaluation activities, specifically appointed;
  • IT service providers.

7.      DO WE TRANSFER PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN ECONOMIC AREA?

The processing and storage of personal data will take place on Company’s servers located within the European Union and/or third-party companies duly appointed as data processors.

Any transfer of Data Subjects’ personal data outside the European Economic Area may take place only under the terms and with the guarantees provided for by the Privacy Legislation and, in particular, in accordance with Articles 44 – 49 of the GDPR.

8.      THIRD PARTIES‘ WEBSITES

It should be noted that, should the Career Portal contain links that refer to websites of third parties, the Company cannot exercise any control over the content of such websites nor does it have any access to the personal data of the Candidates/visitors of these websites. Moreover, the Company has no access to the personal data of visitors/Candidates of the websites.

The owners of the aforementioned websites will remain, therefore, the sole and exclusive owners and managers of the processing of the Candidates’ personal data, and the Company remains extraneous to this activity as well as to any liability, prejudice, cost, which may arise from its failure or improper performance.

We therefore recommend you to carefully read the relevant privacy notices and terms of use of such websites, before providing or consenting for the processing of your personal data.

9.      WHAT ARE YOUR RIGHTS IN RELATION TO THE PROCESSING OF YOUR PERSONAL DATA?

The Data Controller informs the Data Subject that, in accordance with the law, he/she will always have the right to withdraw at any time his/her consent, where given, as well as to exercise, at any time, the following rights (collectively, the “Rights”):

  1. the “right of access” and, specifically, the right to obtain confirmation as to whether or not personal data concerning the Data Subject are being processed and the communication of such data in an intelligible form;
  2. the “right to rectification” i.e. the right to request the rectification or, if interested, the integration of personal data;
  3. the “right to erasure” i.e. the right to request the erasure or the anonymization of personal data that have been processed unlawfully, including data whose storage is unnecessary for the Purposes for which they were collected or further processed;
  4. the “right to restriction of processing” i.e. the right to obtain from the Data Controller the limitation of the processing in certain cases provided for under the Privacy Legislation;
  5. the right to request the Data Controller to indicate the recipients to whom it has notified any rectification or erasure or restriction of processing (carried out in accordance with Articles 16, 17 and 18 GDPR, in fulfillment of the notification obligation unless this proves impossible or involves disproportionate effort);
  6. the “right to data portability” i.e. the right to receive (or transmit directly to another data controller) personal data in a structured, commonly used and machine-readable format;
  7. the “right to object”, i.e. the right to object, in whole or in part:
    • the processing of personal data carried out by the Data Controller for its own legitimate interest;
    • the processing of personal data carried out by the Data Controller for direct marketing or profiling purposes.

In the above cases, where necessary, the Data Controller will inform the third parties to whom the Data Subject‘s personal data have been disclosed of his/her exercise of rights, unless it is not possible or is too onerous and, in any case, in accordance with the provisions of the Privacy Legislation.

It is expressly understood, as provided in Article 21 of the GDPR, that in the event that the Data Subject exercises his/her right to object, the Data Controller will refrain from any further processing of the personal data, unless the Data Controller demonstrates the existence of binding legitimate reasons to proceed with the processing that override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of a right in court.

In any case, the Company – where it has reasonable doubts as to the identity of the Data Subject making the request referred to in Articles 15 to 21 of the GDPR – may request additional information to confirm the identity of the Data Subject.

10.      HOW ONE’S RIGHTS CAN BE EXERCISED AND HOW TO LODGE A COMPLAINT TO THE DATA PROTECTION AUTHORITY?

Data Subject is entitled to exercise his/her Rights at any time in the following manner:

  • by e-mail, to the address: privacy@data4group.com
  • by sending a letter to the address of the registered office of DATA4 as indicated in this Notice.

The Data Controller hereby informs the Data Subject that, pursuant to the Privacy Legislation, he/she has the right to lodge a complaint with the competent supervisory authority (in particular in the Member State of User’s habitual residence, place of work or place of the alleged breach), if he/she is of the opinion that his/her personal data are being processed in a way that would lead to breaches of the GDPR.

In order to facilitate the exercise of the right to lodge a complaint, the name and contact details of the European Union Supervisory Authority are available at the following link: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

11.   UPDATES TO THE PRIVACY NOTICE

This Notice may be amended over the time. We encourage Data Subjects to check its contents periodically. In any case, it will be the Data Controller’s responsibility to report appropriately any significant amendments made to this Notice.

Last update on October 2024