The Data Controller is Casa E. Mirafiore & Fontanafredda s.r.l. with registered office in Via Alba 15, 12050 Serralunga d’Alba, VAT no. 01197120528, registered in the Register of Companies of Cuneo and at Cuneo Chamber of Commerce – REA CN-265953, in the person of the pro tempore legal representative, (hereinafter the “Data Controller”).
Casa E. Mirafiore & Fontanafredda s.r.l. has appointed a person responsible for the protection of personal data, who can be contacted at the email address email@example.com.
When recruiting personnel, the Data Controller may collect and process the following personal data:
- candidate’s identification data (name, surname, place and date of birth, picture included in CV);
- contact data (home address, e-mail, telephone);
- data relating to education;
- data relating to work experience;
- special categories of data included in the CV by the candidate (e.g., information on health, racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of political parties, trade unions, associations or organisations of a religious, philosophical, political or trade unionist nature). Any processing of such data takes place pursuant to art. 9.2. letter a), with the candidate’s explicit consent, which will be requested during the interview. Please note that the Data Controller does not process special categories of data unless strictly necessary for the purpose of the job (e.g., in the case of a protected category). Consequently, such special data will not be taken into account for the purposes of the application, unless the candidate gives their explicit consent. Unless such data is strictly necessary to the application, we ask you not to include it.
Purpose of processing and legal basis
The Controller may collect and process the personal data of the candidate:
- to assess the candidate’s suitability for the job and possible recruitment for the role for which the application has been submitted. The legal basis of the processing lies in the implementation of pre-contractual measures between the Data Controller and the data subject (pursuant to art. 6.1, letter b) GDPR);
- to fulfil obligations imposed by law, by a regulation, by Community legislation or by an order issued by the Authority (e.g., to make provision for health and safety in the workplace, pursuant to art. 6.1, letter c) GDPR);
- in the legitimate interest of the employer (e.g., security, protection of assets, exercise of defence, pursuant to art. 6.1, letter f) GDPR);
- with explicit consent, pursuant to art. 6.1, letter a) GDPR), for roles that may become available in the future. This consent is optional;
- with explicit consent, pursuant to art. 9.2, letter a) GDPR), for any processing of special categories of data included in the candidate’s CV.
The candidate may withdraw their consent at any time.
There is a possibility that the personal data of third parties included in the CV may be processed. On this point, the candidate hereby guarantees that such processing is carried out on the appropriate legal basis of EU Regulation 2016/679.
Methods of processing and retention of personal data
All personal data is processed both on paper and electronically (using servers, databases, software, etc).
All personal data will be processed and stored from the time of its receipt to the extent by which it is necessary and for the time strictly necessary to pursue the above purposes. Unless otherwise stipulated by laws indicated different periods of time, candidates’ CVs will be stored for a maximum of two years, after which the data will be permanently deleted.
The Data Controller does not carry out any processing based solely on automated decisions, including profiling, which trigger legal effects concerning or significantly affecting the candidate. No personal data is processed for the purposes of marketing (e.g., commercial and promotional communications).
Categories of data recipients
Authorised in-house recipients
Personal data may be accessed by employees/collaborators who assist the Data Controller in the recruitment process. These recipients have been informed of and trained in the importance of respecting the principles and rules regarding the processing of personal data.
The Data Controller may disclose the data subject’s information to any physical or legal entities outside the company to which it outsources personnel recruitment activities.
If the outsourcer accesses the data, they shall do so in compliance with the legislation in force on the protection of personal data and the instructions given by the Data Controller. The Data Controller does not disclose personal information to other third parties without the consent of the data subject, unless required to do so by law or by an Authority.
Transferral of data to countries outside the EU
The data subject’s personal data is not transferred to non-EU countries or international organisations.
Rights of the data subject
The data subject may exercise their rights as stated in article 15 et seq. of EU Regulation 2016/679, by writing to the Data Controller at firstname.lastname@example.org or by registered letter with notification of receipt addressed to Casa E. Mirafiore & Fontanafredda S.r.l., Via Alba, 15 – 12050 Serralunga d’Alba (Cn), Italy.
The data subject has the right, at any time, to ask the Data Controller for access to their personal data, its rectification or deletion, or limitation of processing. Moreover, in the cases envisaged, the data subject may, at any time, object to the processing of their data (including automated processing, e.g., profiling), and may withdraw their consent without prejudice to the legality of the processing based on their prior consent. The data subject has the right to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it) or another supervisory authority in compliance with Regulations. The data subject has the right to the portability of their data, in which case the Data Controller shall supply the personal data concerning the data subject in a structured, commonly used and machine-readable format.
The policy may be amended and updated by the Data Controller. Every update will be published on this page.