Pursuant to EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the following information is provided pursuant to Artt. 13 and 14 concerning the processing of your personal data - directly provided by you or provided by Engineering Group employees through so-called “Referral” campaigns - in the context of the recruitment relationship.

1.      Data Controller and Data Protection Officer

The following explains how Engineering Ingegneria Informatica S.p.A. and/or its affiliated, associated and newly acquired companies both in Italy and abroad (“Engineering”) process and protect your personal data that we process and what rights you have in relation to the processing of your personal data when you apply for a job at Engineering or when an Engineering Group employee, through so-called “Referral” campaigns recommends you as a suitable person for a job position within the Company (“Application”) or when you undertake pre-employment and/or onboarding actions.

The data controller is the Engineering group company where you have applied (the “Company” or the “Data Controller”).

Engineering Group has designated a Data Protection Officer, (“Data Protection Officer” or “DPO”), who can be contacted at the following email address: dpo.privacy@eng.it. 

2.      Which personal data will we process?  

The data that the Data Controller may process includes your so-called common data (such as personal or contact details) and your so-called “special” data, subject to the protections of Article 9 GDPR.

Particular data are only those that are likely to reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to identify a natural person uniquely, data relating to a person's health or sexual life or sexual orientation.

We would like to remind you not to include data relating to your health or other data that may fall under the definition of special data in Article 9 GDPR in your CV.

Such data may be requested from you during the selection process only in order to comply with regulatory requirements or to follow up on specific rights or duties of you or the Data Controller in the field of employment law.

The categories of personal data required and the manner in which such personal data is collected and made accessible may vary depending on the country in which the Data Controller is located.

The Data Controller will collect the following categories of data:

• Your name, address, e-mail address, telephone number and other relevant personal information and contact details;
• Your CV, cover letter, previous and/or relevant work experience or other experience, training, transcripts or other information you provide to us in support of the Application;
• Details of the type of job you are or may be seeking, current and/or desired salary and other terms related to compensation and benefits packages, willingness to relocate or other work preferences;
• Details of how you became aware of the position for which you are applying;
• Any information relating to your possible membership of protected categories or further information that may be relevant on the basis of applicable law.
• Information about any previous applications submitted to Engineering and/or any previous work experience with Engineering;
• Your information from publicly available sources, including online that we consider relevant to your application or potential future application (e.g. your LinkedIn profile); and/or
• data provided by employment companies, recruiters or third-party job search websites where applicable;
• data about your health or disability where it is relevant to your ability or willingness to work in a workplace, subject to legal limits on when such data may be collected and other applicable limitations
• gender identity data to help achieve Engineering's diversity objectives, assess the effectiveness of its equal opportunities policy and promote best practices for corporate diversity.

3.      Purpose of the processing and applicable legal basis

The personal data indicated above are processed for the specified purposes. Please note that the processing is lawful only if it is carried out on the basis of a so-called legal basis among those indicated in Art. 6 GDPR.

Below is an indication of the purposes and legal basis for the processing.

A)      To guarantee the correct performance of the Application process aimed at, among other things, assessing the suitability of the applicant for the position for which he/she has applied or for future roles that may become available; managing and responding to your requests for information and enabling the possible fulfilment of pre-contractual and contractual obligations necessary for the establishment of the employment relationship.

The legal basis for the processing of data sub A is the need to implement pre-contractual measures or measures requested by you pursuant to Art. 6 letter b) GDPR.

In addition, if special data is processed about you (such as if measures requested by you in relation to your specific subjective situation need to be implemented), the processing will be carried out pursuant to Art. 9 letter b) in order to fulfil the obligations and exercise the specific rights of the Data Controller or the data subject in the field of labour and social security law and social protection.

B)      Assess the suitability of the applicant for the position for present and/or future roles that may become available within Engineering. Carring out statistical analysis and recruiting activities.

The legal basis for data processing under B is the pursuit of the Data Controller’s legitimate interest pursuant to Art. 6 para. 1 letter f GDPR. The Data Controller’s legitimate interest is the proper organisation and management of work.

C)     The Data Controller may also process personal data to defend its rights in the course of judicial, administrative or extrajudicial proceedings and in the context of disputes arising in connection with the services.

The legal basis for data processing under C is the pursuit of the Data Controller’s legitimate interest pursuant to Art. 6 para. 1 letter f GDPR. The legitimate interest of the Data Controller is the protection of the company’s assets in the event of the emergence of misconduct to the detriment of the employer, also in order to be able to protect its position in court.

D)     Fulfilment of obligations under laws, regulations or EU legislation, or of provisions/requirements of authorities empowered to do so by law and/or supervisory and control bodies.

The legal basis for the processing of data under D is the need to fulfil legal obligations to which the Data Controller is subject 6 para. 1 letter c GDPR.

In addition, if your special data are processed (such as if you have to implement measures you have requested in connection with illnesses), the processing will be carried out pursuant to Art. 9 letter b) in order to fulfil your or the Data Controller’s obligations and exercise your rights in the field of labour and social security law and social protection provided for by law; or pursuant to Art. 9 letter h) if it is provided by law that the employer must have access to your special data for the purpose of preventive or occupational medicine or assessment of capacity for work.

Engineering may also process your personal data for purposes compatible with those listed above.

4.      Sources from which we take your data, Recipients, Modes of processing

The Data Controller may obtain your data from the following sources:

·         From you directly by sending your CV, cover letter or other information entered online;

• By other Engineering affiliates;
• From conversations with recruiters to interviews with hiring managers and other staff or representatives of Engineering, as well as from third parties to whom Engineering outsources recruitment activities, from internet searches these people may perform (where permitted by applicable law), or from data they may obtain from job search or professional networking websites (e.g. LinkedIn, Indeed, Monster, etc.) where your data may be publicly available
• From previous employers;
• From social media (where permitted by applicable law);
• Recipients;
• With regard to so-called “Referral” campaigns, from Engineering Group employees who recommend you as a suitable person for a job position within the Company.

Generally speaking, access to your personal data will be based on the need-to-know principle: a limited number of subjects will have access to your personal data, to the extent strictly necessary to carry out the processing operations identified in this notice.

Furthermore, the Data Controller may communicate your data to third parties who may act under the control and directives of the Data Controller, or as autonomous data controllers. By way of example and without limitation, such recipients may be:

• service providers (inter alia, IT support functions, recruitment companies, analytics services);
  
• competent police, judicial and/or administrative authorities, where required;
• professionals, bound by professional secrecy, appointed to take part in the ordinary and contentious management of labour relations;
• companies controlled by or associated with Engineering Ingegneria Informatica S.p.A;
• control/supervisory bodies of the Company;
• business partners for the provision of ancillary services related to the recruiting process.
  

The complete and up-to-date list of data recipients can be obtained from the Data Controller or the DPO at the above-mentioned addresses.

Processing arrangements

We maintain organisational, physical and technical security arrangements for all personal data in our possession. We have relevant protocols, controls, policies, procedures and guidelines in place to maintain these arrangements, taking into account the risks associated with the categories of personal data and processing we undertake. We take security measures in accordance with the best market standards to protect your personal data.

5.      Transfer of data outside the EU

In pursuit of the above-mentioned purposes, some of your personal data may be shared with recipients located outside the European Union/European Economic Area. In such circumstances, the Data Controller ensures that the transfer of such data takes place in compliance with the provisions of Chapter V of the GDPR (Transfers of Personal Data to Third Countries or International Organisations), therefore on the basis of an adequacy decision of the European Commission pursuant to Article 45 GDPR or, failing that, with the adoption of the appropriate safeguards referred to in Article 46 of the GDPR, such as the Standard Contractual Clauses in the latest version published by the European Commission.

6.      Data Retention Periods

The Data Controller retains the Applicants' data only for as long as necessary to achieve the purposes for which it was collected or for any other related legitimate purpose.

Should a job offer be made and accepted by the Data Controller, the personal data collected during the Application process will become part of Engineering's personnel records, to be kept for the entire period following the termination of the employment relationship with Engineering in accordance with the terms provided for by law. In such circumstances, you will be provided with an information notice on processing personal data in the context of the newly established employment relationship.

Should your Application be unsuccessful, Engineering may nevertheless continue to retain and use the personal data collected during the Application process in order to consider new positions, as well as to carry out market research and analysis, for a maximum of 12 (twelve) months from the end of the Application process.

In any event, the Data Controller reserves the right to retain your data for as long as is necessary to fulfil the regulatory obligations to which it is subject or to meet any defensive needs.

7.      Data subject’s rights

Pursuant to current legislation, you have the following rights.

• Access: you have the right to access at any time the data concerning you that are available to the Data Controller, as well as any useful information concerning the processing carried out by the latter;
  
• Rectification: you have the right to obtain the rectification and/or correction of inaccurate data concerning you that is available to the Controller;
• Deletion: in the event of specific reasons, you have the right to request and obtain, without undue delay, the deletion of your data in the possession of the Controller;
• Restriction: in special cases, you have the right to have the processing of your data restricted;
• Portability: in the event of automated processing of data based on your consent or the performance of a contract, you have the right to receive, in a structured, commonly used, and machine-readable format, your personal data provided to the Controller, as well as the right to transmit such data to another controller without hindrance;
  
• Objection: you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on the pursuit of the legitimate interests of the controller, unless the controller proves the existence of compelling legitimate grounds that override your interests, rights and freedoms;
  
• Automated decision-making: you have the right not to be subject to a decision based solely on automated processing of your data, including profiling, where such a decision significantly affects you.
  

You may exercise your rights, in the manner set out in Article 12 of the GDPR and within the limitations set out in Article 23 of the GDPR, by writing to the Controller’s contact details set out in this notice or to the DPO’s address: dpo.privacy@eng.it.

Without prejudice to any other administrative or judicial remedy, you are also guaranteed the right to lodge a complaint with the competent supervisory authority where you believe there has been a violation of your data protection rights. Further information is available at https://www.garanteprivacy.it.