Via Colle della Maddalena, 4/A Giffoni Valle Piana, Salerno, Italy
Notice pursuant to Art. 13 of the General Data Protection Regulation (EU GDPR) 2016/679 concerning Candidates, Employees, and Collaborators
The EU Regulation 2016/679 ("Regulation" or "GDPR") sets rules on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Regulation safeguards the fundamental rights and freedoms of individuals, particularly their right to data protection. This notice is provided pursuant to Article 13 of the Regulation, in compliance with the principles contained therein. Your personal data is collected only to the extent compatible with the purposes described in the following notice, and their processing will be based on principles of fairness, legality, and transparency.
- 1. DATA CONTROLLER
Mavment s.r.l., Via Colle della Maddalena, 4/A Giffoni Valle Piana, Salerno, Italy, VAT No. IT05426900659, is the Data Controller ("the Controller") of your personal data ("the Data") concerning its use. Among the personal data are those considered "special" under Articles 9 and 10 of the Regulation, which can reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, genetic data, biometric data, health data, or data regarding the person's sexual orientation. These may be collected before or during the establishment of any work relationship and may relate to you, your relatives or cohabitants, and/or your family members.
- 2. PURPOSES OF PROCESSING AND LEGAL BASES
If you are a CANDIDATE, the collection and processing of your personal data and that of any family members (which may also include special and judicial data) may occur for the following purposes:
a) Recruitment and personnel selection on behalf of the company; b) Pre-contractual negotiations aimed at hiring and determining remuneration and any other emolument provided by law and by collective or individual contracts; c) Participation in training and updating courses; d) Possible extrajudicial or judicial management of disputes.
During the Selection phase, the Controller may process special categories of data, specifically data showing your membership in a protected category. For this processing, we remind you that consent is required by the Regulation.
The processing of your personal data for the purposes mentioned in letters a), b), c), d) requires your consent, which we ask you to express through the appropriate form, specifying that any refusal would make it impossible for the company to implement the relevant activities.
In all cases where an Employment or Collaboration Contract is signed and you hold the status of Employee or Collaborator of the Company, your personal data and that of any family members (including special and judicial data) will be processed for the purposes listed above and also for the following purposes:
e) Payment of wages and any other emolument provided by law and by collective or individual contracts; f) Execution and management of the employment contract and the consequent fulfillment of all obligations provided by law, contract, regulations, or collective agreements, including company agreements and EU legislation, in relation to pension institutes, welfare bodies, insurance bodies, including supplementary ones, financial administrations; g) Fulfillment of obligations arising from insurance contracts for the coverage of diseases and/or professional accidents as well as the risks associated with the employer's liability for damages caused to third parties during work or professional activity; h) Management of medical certificates provided to justify absences from work; i) Verification and control of physical and computer access, enabling and disabling electronic badges and passwords; j) Management of services, such as the provision of company assets such as cars, credit cards, desktop and laptop computers, mobile phones; k) Carrying out all practices and fulfilling all provisions established by current regulations on Work Safety, Privacy, and Environment; l) Tax obligations and communications to the financial administration, including any tax assistance (e.g., mod. 730).
In the event that an employment contract has been signed, the Controller may collect special categories of personal data under Article 9 of the Regulation, as they are suitable to detect: a state of health (e.g., certificates relating to absences due to illness, maternity, accident, data relating to certain jobs and mandatory starts, medical examinations for work safety); membership in a union (e.g., holding union positions, request for retention for union membership fees); membership in a political party or movement (e.g., request for leave or leave of absence for elected public positions); religious beliefs (e.g., request to take advantage of religious holidays provided for by law); criminal convictions, offenses, or security measures (e.g., criminal records, pending charges, certificates, fines, and sanctions). It should be noted that these purposes may involve the need/opportunity to process data (also of "special categories") relating to other subjects (e.g., spouse, children, dependents). Such data will be processed only in strictly necessary cases for purposes arising from legal obligations, and in any case, in compliance with the provisions of the Regulation.
The specific data concerning health, processed by the competent doctor in carrying out the tasks provided for by Legislative Decree 81/08 and other provisions on hygiene and safety in the workplace, for preventive and periodic medical examinations, will be processed at the employer only by the same doctor. The employer, the data controller, will receive communication of only the judgments on the suitability of the workers.
The processing of your personal data carried out by the Company for the purposes listed in letters e), f), g), h), i), j), k), l) is lawful as it is necessary to fulfill the legal obligations to which the Controller is subject or necessary for the execution of the employment contract, also in administration, signed with you.
- 3. NATURE OF DATA PROVISION
The provision of some personal data is essential for the purposes set out in paragraph 2. These data are: name, surname, residence, domicile, tax code, details of the identification documents of individuals. For this reason, the failure to provide such data will result in the impossibility of establishing and/or continuing the contractual relationship between the parties. Other personal data, on the other hand, are considered accessory, and their provision is optional. These include: bank details and phone numbers. Refusal to provide the aforementioned data does not affect the contractual relationship, but may make it difficult or impossible to carry out the individual operation connected to such data. The Controller will communicate any difficulties that arise from time to time so that the Candidate/Worker can assess whether or not to provide the requested data.
- 4. METHOD OF PROCESSING
Data processing will be carried out lawfully and fairly, and in any case, in compliance with Article 6 of the Regulation.
Processing will be carried out through the operations or set of operations indicated in Article 4, point 2 of the Regulation, namely: collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination, making available, comparison, interconnection, limitation, erasure or destruction, selection, blocking of personal data. The operations can be carried out with or without the aid of electronic or automated tools, in compliance with the confidentiality and security rules provided by law, regulations, or specific internal provisions. The data has been and will be collected exclusively from the interested party. The data is processed and stored at the administrative headquarters of the Company. Processing will be carried out by the Controller and/or by the Subjects authorized to process (appointees) referred to in Article 9, who will operate under the direct authority of the Controller following the instructions given by the latter. In carrying out its data processing activities, the Company undertakes to:
- Adopt adequate security measures to ensure data protection;
- Ensure that processing operations comply with applicable legal provisions;
- Ensure the accuracy and updating of data and make any changes and/or additions requested by the data subject;
- Notify the data subject, in the cases and within the times provided for by law, of any personal data breaches.
- 5. COMMUNICATION AND/OR DISSEMINATION OF PERSONAL DATA
Your personal data will not be disclosed. Your data may be communicated to:
- Public Administrations for the performance of institutional functions within the limits established by laws and regulations;
- Consultants, professionals, or law firms to receive opinions on the application of labor law to employment contracts, for activities related to the correct implementation of the employment relationship, for the management of disputes;
- Authorities and supervisory bodies following formal requests; consulting companies and auditing firms, professionals, and consultants, even in associated form;
- Banking or credit institutions for the payment of your fees;
- Tax assistance centers;
- Companies that offer services for the management, even computerized, of attendance and work flows;
- Healthcare facilities and the competent doctor for the fulfillment of the obligations ex Legislative Decree 81/2008;
- Pension and supplementary health care funds, even at the company level;
- Regional bodies or employment centers, as well as training bodies for courses for Candidates and/or Workers in administration;
- Travel agencies for booking trips and/or stays; companies or entities that provide car rental services or similar;
- Insurance companies for the coverage of diseases and/or professional accidents and the risks associated with the employer's liability for damages caused to third parties during work or professional activity, or for the signing of optional insurance policies. Your data will be processed directly by the Controller or by third parties providing services specifically designated as Data Processors.
- 6. DATA TRANSFERS ABROAD
The Company may transmit the data you provided to its suppliers, even in third countries outside the European Union, whenever necessary within the scope of the purposes described in this notice. Any transfer of the data subject's data to countries located outside the European Union will take place, in any case, in compliance with the provisions of European legislation on the transfer of personal data to third countries or international organizations, particularly under Articles 44, 45, 46, 47, and 49 of the Regulation. You will have the right to obtain a copy of the data held abroad and to obtain information about where they have been stored by making an express request to the Data Controller.
- 7. DATA RETENTION PERIOD
If you are a CANDIDATE, except for the case of hiring, the Controller will carry out a periodic review, every 24 months, to verify whether the data should continue to be processed or whether they should be deleted. If you believe the purpose of processing has been exhausted, you can provide written communication to the Controller at any time, who will immediately proceed with the deletion of your personal data. If you are an EMPLOYEE, the data will be kept for the time necessary for the administrative, accounting, and tax purposes related to the established relationship and also arising from the obligations provided for by law, however within the prescription periods set for the rights and obligations underlying the processing. In particular, for administrative, accounting, payroll management, personnel training, contractual, and labor law activities, management of any disputes: 10 years as established by law by the provisions of Article 2220 of the Civil Code, except for any late payments or disputes that justify the extension.
- 8. AUTOMATED DECISION-MAKING PROCESSES
The company does not carry out treatments that consist of automated decision-making processes on the processed personal data of candidates.
- 9. SUBJECTS AUTHORIZED TO PROCESS (appointees)
Authorized to process personal data, in compliance with the Regulation, are the collaborators and employees of Mavment s.r.l.
- 10. EXERCISE OF THE DATA SUBJECT'S RIGHTS
As a Data Subject, you can exercise your rights against the Controller or the Data Processor at any time, addressing the Data Controller using the following contact details: firstname.lastname@example.org – Mavment s.r.l. Via Colle della Maddalena, 4/A Giffoni Valle Piana, Salerno, Italy, VAT No. IT05426900659. To ensure the correct exercise of rights, the Data Subject must be unequivocally identifiable. The Company undertakes to provide feedback within 30 days and, in case of inability to meet these times, to motivate any extension of the terms provided. The response will be free of charge except in cases of unfoundedness (e.g., there are no data concerning the requesting data subject) or excessive requests (e.g., repetitive over time) for which a contribution to expenses may be charged, not exceeding the actual costs incurred for the research carried out in the specific case. The rights relating to the personal data of deceased persons can be exercised by those who have their own interest or act to protect the data subject or for family reasons deserving protection.
Under the Regulation, as a Data Subject, you have the right to obtain information about:
- The origin of personal data;
- The categories of data processed;
- The purposes and methods of processing;
- The data retention period;
- The logic applied in case of processing carried out with the aid of electronic tools;
- The identifying details of the Controller and the Data Processor;
- The subjects and categories of subjects to whom personal data may be communicated or who may become aware of them as processors or appointees, also in Third Countries;
- The existence of the profiling process.
The data subject has the right to obtain:
- Confirmation of the existence or not of their personal data and that these data are made available in an intelligible form;
- The updating, rectification, integration of data, and limitation;
- Cancellation (right to be forgotten), anonymization, or blocking of data processed unlawfully;
- Certification that the operations referred to above have been brought to the attention of those to whom the data has been communicated or disseminated, except where this fulfillment proves impossible or involves a use of means manifestly disproportionate to the protected right;
- Data portability (direct transmission from one controller to another);
- A copy of the data being processed.
The data subject has the right to object to:
- The processing of personal data concerning the data subject, including profiling, for legitimate reasons, even if pertinent to the purpose of the collection;
- The processing of personal data concerning the data subject for the purpose of sending advertising material, direct selling, conducting market research, commercial communications;
- The processing of data processed for scientific or historical research purposes or for statistical purposes, except in the case of public interest in processing.
If processing is based on consent, the data subject can revoke the consent given at any time, without prejudice to the lawfulness of the processing carried out before the revocation. The data subject can also lodge a complaint with the supervisory authority.
In the event of a personal data breach suffered by the company (Data Breach), in compliance with Article 33 of the Regulation, the Controller will notify the competent supervisory authority within 72 hours of becoming aware of the fact and will also communicate the event to the data subject, except for the cases of exclusion provided for by the legislation in Article 34, paragraph 3 of the GDPR.
The Company has appointed a Data Protection Officer, pursuant to Article 37 of the Regulation, who can be contacted by sending an email to the following address: email@example.com.