Privacy Policy: Applicants
Pursuant to EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the following information is provided pursuant to Artt. 13 and 14 concerning the processing of your personal data - directly provided by you or provided by Engineering Group employees through so-called “Referral” campaigns - in the context of the recruitment relationship.
1. Data Controller and Data Protection Officer
The following explains how Engineering Ingegneria Informatica S.p.A. and/or its affiliated, associated and newly acquired companies both in Italy and abroad (“Engineering”) process and protect your personal data that we process and what rights you have in relation to the processing of your personal data when you apply for a job at Engineering or when an Engineering Group employee, through so-called “Referral” campaigns recommends you as a suitable person for a job position within the Company (“Application”) or when you undertake pre-employment and/or onboarding actions.
The data controller is the Engineering group company where you have applied (the “Company” or the “Data Controller”).
Engineering Group has designated a Data Protection Officer, (“Data Protection Officer” or “DPO”), who can be contacted at the following email address: dpo.privacy@eng.it.
2. Which personal data will we process?
The data that the Data Controller may process includes your so-called common data (such as personal or contact details) and your so-called “special” data, subject to the protections of Article 9 GDPR.
Particular data are only those that are likely to reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to identify a natural person uniquely, data relating to a person's health or sexual life or sexual orientation.
We would like to remind you not to include data relating to your health or other data that may fall under the definition of special data in Article 9 GDPR in your CV.
Such data may be requested from you during the selection process only in order to comply with regulatory requirements or to follow up on specific rights or duties of you or the Data Controller in the field of employment law.
The categories of personal data required and the manner in which such personal data is collected and made accessible may vary depending on the country in which the Data Controller is located.
The Data Controller will collect the following categories of data:
3. Purpose of the processing and applicable legal basis
The personal data indicated above are processed for the specified purposes. Please note that the processing is lawful only if it is carried out on the basis of a so-called legal basis among those indicated in Art. 6 GDPR.
Below is an indication of the purposes and legal basis for the processing.
A) To guarantee the correct performance of the Application process aimed at, among other things, assessing the suitability of the applicant for the position for which he/she has applied or for future roles that may become available; managing and responding to your requests for information and enabling the possible fulfilment of pre-contractual and contractual obligations necessary for the establishment of the employment relationship.
The legal basis for the processing of data sub A is the need to implement pre-contractual measures or measures requested by you pursuant to Art. 6 letter b) GDPR.
In addition, if special data is processed about you (such as if measures requested by you in relation to your specific subjective situation need to be implemented), the processing will be carried out pursuant to Art. 9 letter b) in order to fulfil the obligations and exercise the specific rights of the Data Controller or the data subject in the field of labour and social security law and social protection.
B) Assess the suitability of the applicant for the position for present and/or future roles that may become available within Engineering. Carring out statistical analysis and recruiting activities.
The legal basis for data processing under B is the pursuit of the Data Controller’s legitimate interest pursuant to Art. 6 para. 1 letter f GDPR. The Data Controller’s legitimate interest is the proper organisation and management of work.
C) The Data Controller may also process personal data to defend its rights in the course of judicial, administrative or extrajudicial proceedings and in the context of disputes arising in connection with the services.
The legal basis for data processing under C is the pursuit of the Data Controller’s legitimate interest pursuant to Art. 6 para. 1 letter f GDPR. The legitimate interest of the Data Controller is the protection of the company’s assets in the event of the emergence of misconduct to the detriment of the employer, also in order to be able to protect its position in court.
D) Fulfilment of obligations under laws, regulations or EU legislation, or of provisions/requirements of authorities empowered to do so by law and/or supervisory and control bodies.
The legal basis for the processing of data under D is the need to fulfil legal obligations to which the Data Controller is subject 6 para. 1 letter c GDPR.
In addition, if your special data are processed (such as if you have to implement measures you have requested in connection with illnesses), the processing will be carried out pursuant to Art. 9 letter b) in order to fulfil your or the Data Controller’s obligations and exercise your rights in the field of labour and social security law and social protection provided for by law; or pursuant to Art. 9 letter h) if it is provided by law that the employer must have access to your special data for the purpose of preventive or occupational medicine or assessment of capacity for work.
Engineering may also process your personal data for purposes compatible with those listed above.
4. Sources from which we take your data, Recipients, Modes of processing
The Data Controller may obtain your data from the following sources:
· From you directly by sending your CV, cover letter or other information entered online;
Generally speaking, access to your personal data will be based on the need-to-know principle: a limited number of subjects will have access to your personal data, to the extent strictly necessary to carry out the processing operations identified in this notice.
Furthermore, the Data Controller may communicate your data to third parties who may act under the control and directives of the Data Controller, or as autonomous data controllers. By way of example and without limitation, such recipients may be:
The complete and up-to-date list of data recipients can be obtained from the Data Controller or the DPO at the above-mentioned addresses.
Processing arrangements
We maintain organisational, physical and technical security arrangements for all personal data in our possession. We have relevant protocols, controls, policies, procedures and guidelines in place to maintain these arrangements, taking into account the risks associated with the categories of personal data and processing we undertake. We take security measures in accordance with the best market standards to protect your personal data.
5. Transfer of data outside the EU
In pursuit of the above-mentioned purposes, some of your personal data may be shared with recipients located outside the European Union/European Economic Area. In such circumstances, the Data Controller ensures that the transfer of such data takes place in compliance with the provisions of Chapter V of the GDPR (Transfers of Personal Data to Third Countries or International Organisations), therefore on the basis of an adequacy decision of the European Commission pursuant to Article 45 GDPR or, failing that, with the adoption of the appropriate safeguards referred to in Article 46 of the GDPR, such as the Standard Contractual Clauses in the latest version published by the European Commission.
6. Data Retention Periods
The Data Controller retains the Applicants' data only for as long as necessary to achieve the purposes for which it was collected or for any other related legitimate purpose.
Should a job offer be made and accepted by the Data Controller, the personal data collected during the Application process will become part of Engineering's personnel records, to be kept for the entire period following the termination of the employment relationship with Engineering in accordance with the terms provided for by law. In such circumstances, you will be provided with an information notice on processing personal data in the context of the newly established employment relationship.
Should your Application be unsuccessful, Engineering may nevertheless continue to retain and use the personal data collected during the Application process in order to consider new positions, as well as to carry out market research and analysis, for a maximum of 12 (twelve) months from the end of the Application process.
In any event, the Data Controller reserves the right to retain your data for as long as is necessary to fulfil the regulatory obligations to which it is subject or to meet any defensive needs.
7. Data subject’s rights
Pursuant to current legislation, you have the following rights.
You may exercise your rights, in the manner set out in Article 12 of the GDPR and within the limitations set out in Article 23 of the GDPR, by writing to the Controller’s contact details set out in this notice or to the DPO’s address: dpo.privacy@eng.it.
Without prejudice to any other administrative or judicial remedy, you are also guaranteed the right to lodge a complaint with the competent supervisory authority where you believe there has been a violation of your data protection rights. Further information is available at https://www.garanteprivacy.it.