PRIVACY POLICY STATEMENT REGARDING THE PROCESSING OF CANDIDATES' PERSONAL DATA
PURSUANT TO ARTICLES 13 and 14 OF REGULATION (EU) 2016/679 (“GDPR”)
The Controller for the processing of personal data (the “Controller” or “UniSR”), intends to provide you, in your capacity as a data subject in the context of applications for employment positions at UniSR (“Data Subject”), with the specific information on the processing of personal data that is necessary by virtue of the application itself, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”) and of the European and national legislation supplementing and/or amending the same Regulation, including Italian Legislative Decree no. 196/2003 as amended (hereinafter, the “Data Protection Code”).
Contact data
Controller:
- Università Vita-Salute San Raffaele (“University”)
- Via Olgettina 58 - Milan, Italy
- Email address: [email protected]
Data Protection Officer (DPO):
- GSD Sistemi e Servizi S.c.a.r.l. (“GSDSS”) in the person of Mrs. Francesca Pierangelo
- Email address: [email protected]
Personal Data processed
UniSR will handle the following types of data:
- Master data and contact data;
- Income and/or assets;
- Professional and educational background information;
- Information on the soft skills and aptitudes of the Data Subject;
- Health data (“Special Categories of Data”).
This data will be collected from the Data Subject and/or third parties (e.g. personal data, contact data and application information may be collected from social networks, recruitment companies and/or databases).
Purposes of processing, Legal basis of processing, Data storage period
Purposes of processing: Candidate headhunting and recruitment activities in relation to all positions managed by the Controller, including for future recruitment, as well as to take advantage of the free services offered by the Controller such as, for example, active employment policies, courses and training.
Legal basis of processing:
a. Ordinary data- Execution of a contract to which the data subject is party or of pre-contractual measures, pursuant to Article 6(1)(b) of the GDPR.
b. Special categories of data (where recruitment concerns protected categories)- Compliance with specific obligations and exercise of specific rights of the controller or data subject with regard to labour, social security and welfare law, to the extent that this is authorised by the law of the Union or Member States or a collective employment contract under the law of the Member States, with appropriate guarantees for the fundamental rights and interests of the data subject, under Article 9(2)(b) of the GDPR.
Data storage period: Until the conclusion of the recruitment process, but no later than 12 months after submission of the application.
Purposes of processing: Management of whistleblowing reports pursuant to Italian Legislative Decree 24/2023
Legal basis of processing:
a. Ordinary data- Compliance with obligations under laws and regulations and Community law, under Article 6(c) of the GDPR.
b. Special categories of data (where contained in the report)- Compliance with specific obligations and exercise of specific rights of the controller or data subject with regard to labour, social security and welfare law, to the extent that this is authorised by the law of the Union or Member States or a collective employment contract under the law of the Member States, with appropriate guarantees for the fundamental rights and interests of the data subject, under Article 9(2)(b) of the GDPR.
Data storage period: Five years from the date of the disclosure of the final outcome of the whistleblowing procedure, from the closure of all activities resulting from the assessment of the facts set out in the report, if no judicial or disciplinary proceedings against the person reported or the whistleblower have been instituted as a result. If the reported person or whistleblower has made false or defamatory statements, the data will be retained for the duration of the proceedings and until the expiry of the time limit for appeals.
Purposes of processing: For the exercise or defence of a right before the courts or as a preliminary to legal proceedings.
Legal basis of processing:
a. Ordinary data- Pursuit of the legitimate interest of the Controller in judicial and/or extrajudicial protection, pursuant to Article 6(1)(f) of the GDPR.
b. Special categories of data- Assessment, exercise or defence of a right in court or whenever the courts exercise their judicial functions, pursuant to Article 9(2)(f) of the GDPR.
Data storage period: The entire duration of the dispute, until the expiry of the time limits for appeal.
The Controller shall not collect CVs or other documents containing data that may reveal your state of health (“Special Categories of Data") and, where they are provided in any way, the Controller shall proceed with their erasure, except where the processing of such data is necessary to fulfil the obligations of the Controller and to exercise the specific rights of the Data Subject in the field of labour law, in particular to assess recruitment in protected categories or to promote equal opportunities where provided for by law. No prior consent is required for the processing of your Personal Data, as the processing is necessary and legitimised by the above-mentioned condition of lawfulness.
Nature of data provision and consequences of refusal
The provision of your Personal Data for the above-mentioned purposes is optional, but if you refuse to provide your personal data, it will not be possible to proceed to the recruitment phase as a necessary step for the possible establishment of an employment relationship.
Data processing procedures
Personal Data will be processed - in accordance with the principles of fairness, lawfulness and transparency - both in paper format and by means of computer and/or electronic means and/or tools, with logic strictly related to the purposes of processing and in any case ensuring the confidentiality and security of the data and compliance with the specific obligations laid down by law. The availability and management of, access to, storage of and use of data are ensured by the adoption of technical and organisational measures to ensure suitable levels of security in accordance with articles 25 and 32 of the GDPR and as appropriate to the specific purposes of processing defined by the relevant legislation.
Disclosure of data
Your Personal Data will not be disseminated. This is without prejudice, in any event, to cases where the disclosure or dissemination of your Personal Data is required, in accordance with the law, by public entities for purposes of defence or security or for the prevention, detection or prosecution of criminal offences.
The aforesaid will usually operate as independent Controllers for their respective processing operations. An up-to-date list of such entities can be obtained by contacting the Controller.
Data Processor
Your Personal Data may be disclosed to the providers of services strictly related to and necessary for the Controller’s operations, normally acting as data processors under art. 28 of the GDPR. The full list may be requested from the Controller at any time by writing to the contacts provided above.
Authorised processors
Personal Data may be processed by employees of the company functions assigned to the pursuit of the above-mentioned purposes, who have been expressly authorised to process them and who have received adequate operating instructions in accordance with the provisions of Article 29 of the GDPR.
Transfer of personal data to countries outside the European Union
The Controller does not intend to transfer your Personal Data to countries outside the European Union and the European Economic Area. Should such a transfer be necessary and/or unavoidable for the Controller's organisational needs, it should be noted as of now that it will only be made to countries for which an adequacy decision has been adopted by the European Commission; in the case of a country other than those referred to in the previous point, the transfer of data will be governed by the Standard Contractual Clauses without prejudice to the adoption, subject to the agreement of the Parties involved, of another of the safeguard measures established by Article 46 of the GDPR or the application of one of the derogatory mechanisms set out in Article 49 of the GDPR.
Further information can be obtained from the Controller by writing to the contacts provided above.
Rights of the Data Subject
In relation to the processing of your Personal Data, you may assert the rights recognised to data subjects under Articles 15 to 22 of the GDPR, where applicable and within the limits set by Article 2-undecies of the Data Protection Code (right to access data, right to rectification or erasure of data, right to restriction or to object to processing, right to data portability, right not to be subject to automated decision-making), by submitting a written request to the Controller or DPO at the above-mentioned addresses.
Please also note that, under Article 140(2) of the Data Protection Code, you may lodge a complaint with the Italian Data Protection Authority or have recourse to the judicial authorities.