Data Controller and Data Protection Officer
We inform you that Gruppo Informatica e Servizi GIES S.r.l. (hereinafter, “GIES”), with registered office at Via Enrico Notaio, 23, 47892, Acquaviva, Republic of San Marino, as the Data Controller (hereinafter, the “Controller” or “Company”) - reachable at the email address: privacy@gies.sm - will process your personal data collected as part of the personnel selection and recruitment process and, in particular, the data contained in the CV you submit following the announcement of open positions, selections, or competitions, or spontaneously.
The Data Controller is available to provide any information regarding the processing of your personal data and the exercise of your rights as a data subject.
The Data Controller has appointed a Data Protection Officer (hereinafter, "DPO"), who is available to provide any information regarding the processing of your personal data and the exercise of your rights as a data subject. The DPO can be contacted not only at the physical address of GIES's headquarters, but also at the following email address: dpo@gies.sm, and via certified email (PEC) at dpogies@legalmail.it.
Categories and types of data processed and source of data collection
The data processed by the Data Controller may include:
- common data, such as, in particular, personal and identification information (name, surname, date of birth, etc.), contact information (landline and/or mobile telephone number, email address, etc.), information relating to your professional profile and employment history, as well as any other relevant information contained in the CV you have submitted;
- possibly, to the extent that processing is required by applicable law, data belonging to the "special categories" referred to in Article 9, paragraph 1 of the GDPR and, specifically, data relating to your health (specifically, whether you belong to the so-called protected categories);
Hereinafter, also "Personal Data".
We inform you that, if your CV contains data belonging to the special categories referred to in Article 9, paragraph 1 of the GDPR, we will process it for your benefit. 1 of the GDPR that the Data Controller is not required to process under the applicable legislation, or Personal Data that is not relevant to the purposes set out below, the Data Controller will refrain from processing such data. For this reason, unless strictly necessary, you are advised not to provide excessive information. In any case, the Data Controller undertakes not to conduct any investigation, even through third parties, into the employee's political, religious, or trade union opinions, or any other fact that is not relevant to the assessment of the candidate's professional aptitude.
You may also voluntarily provide the Data Controller—as part of the aforementioned procedure—with data relating to third parties. Please note that, in such cases, you are the independent data controller with all legal obligations and responsibilities. In this regard, you hereby fully indemnify the Data Controller against any dispute, claim, or request for compensation for damages arising from the processing that may be received from third parties whose Personal Data has been processed through your spontaneous submission in violation of applicable data protection laws. In any case, if you provide or otherwise process third-party Personal Data, you hereby guarantee—assuming all related liability—that such processing is based on an appropriate legal basis that legitimises the processing of the information in question.
With regard to the source of the aforementioned Personal Data, please note that, as a rule, it is collected directly from you, who submits your application to the Company. In some cases, however, the Data Controller may also collect your Personal Data from third parties, in particular, from employment agencies and other companies that carry out, in their own interest or that of third parties, intermediation, personnel search and selection, or career placement support.
Purpose, legal basis, and optionality of processing
Personal Data will be collected and processed for the following purposes:
a) Purpose of managing your application
The Data Controller will process the Personal Data to assess the consistency of your profile with theopen job positions and, in general, to manage personnel selection procedures, as well as to contact you to schedule interviews if necessary.
For this purpose, the Data Controller will process Personal Data pursuant to Articles 6, paragraph 1, letter b) and 9, paragraph 2, letter b) of the GDPR.
The provision of Personal Data for the above-mentioned purpose is optional, but failure to provide it may make it impossible for the Data Controller to evaluate your profile and/or schedule interviews.
b) Compliance purposes
The Data Controller will process Personal Data in order to comply with legal obligations, regulations, or national and EU laws, including provisions of sector supervisory authorities and/or orders of judicial and/or administrative authorities (including, compliance with accounting and tax obligations, as well as those related to the detection and suppression of crime, public order, and civil protection).
To this end and when necessary, the Data Controller will process Personal Data pursuant to Art. 6, paragraph 1, letter c) of the GDPR; with reference to data belonging to special categories, the processing is based on Art. 9, paragraph 2, letters b) and g) of the GDPR.
c) Defense purposes
The Data Controller will process Personal Data, if necessary, to establish, exercise, or defend a right in or out of court.
For this purpose, the Data Controller will process Personal Data pursuant to Art. 6, paragraph 1, letter f) of the GDPR as there is a legitimate interest of the Data Controller in establishing, exercising, or defending its rights; with reference to data belonging to special categories, the processing is based on Art. 9, paragraph 2, letter f) of the GDPR.
Categories of subjects to whom personal data may be disclosed and purposes of disclosure
Personal Data may be shared with:
- natural persons authorized by the Data Controller to process Personal Data pursuant to Art. 29 of the GDPR;
- subjects who, in processing Personal Data on behalf of the Data Controller, typically act as data processors pursuant to Art. 28 of the GDPR (e.g., recruitment agencies, employment consultants, etc.);
- subjects, entities, or authorities, acting as independent data controllers, to whom it is mandatory to disclose Personal Data pursuant to regulatory provisions or orders from authorities (for example, but not limited to, administrative authorities).
The updated and complete list of data processors can be requested from the Data Controller and/or the DPO at the contact details indicated in this policy.
No dissemination of your personal data to unspecified subjects is envisaged.
Transfer of Personal Data
Some Personal Data may be shared with recipients located in third countries outside the European Economic Area or with international organizations. The Data Controller ensures that the processing of Personal Data by these recipients complies with the GDPR. Specifically, transfers will be based on an adequacy decision by the European Commission or on the Standard Contractual Clauses approved by the European Commission, or on another appropriate legal basis, in accordance with Recommendations 01/2020 adopted on November 10, 2020, by the European Data Protection Board.
Further information is available from the Data Controller or the DPO by writing to the addresses indicated above.
Retention of Personal Data
Personal Data will be retained for the time strictly necessary for the purposes for which it is collected, in compliance with the principles of data minimization and storage limitation pursuant to Art. 5, paragraph 1, letters c) and e) of the GDPR.
Specifically, your CV and other information related to your application will be retained for a period of 24 months from the date of submission. At the end of this period, the Personal Data will be permanently deleted.
The Data Controller reserves the right to retain the Personal Data, including and where necessary, for as long as necessary to fulfill the Compliance and Defense Purposes.
Further information is available from the Data Controller and/or DPO at the contact details above.
Data Processing Methods
In relation to the aforementioned purposes, the Personal Data is processed using manual, computerized, and electronic means, with methods strictly related to the purposes themselves and, in any case, in a manner that guarantees the security and confidentiality of the data, in addition to compliance with specific legal obligations.
Rights of Data Subjects
Data subjects have the right to request from the Data Controller, at any time and where the relevant legal requirements are met:
- Access to their Personal Data (and/or a copy of such Personal Data), as well as further information on the processing being carried out on them;
- The rectification or updating of their Personal Data processed by the Data Controller, where they are incomplete or out of date;
- The deletion of their Personal Data from the Data Controller's databases, where they believe the processing is unnecessary or unlawful;
- The restriction of the processing of their Personal Data by the Data Controller, where they believe that their Personal Data is not correct, necessary or is being unlawfully processed, or where they have objected to their processing;
- To exercise the right to data portability, i.e. to obtain a copy of the Personal Data concerning them provided to the Data Controller in a structured, commonly used and machine-readable format, or to request its transmission to another Data Controller;
- To object to the processing of their Personal Data, using a legal basis relating to their particular situation, which they believe should prevent the Data Controller from process their Personal Data.
Requests to exercise these rights must be submitted in writing to the Data Controller or the DPO at the contact details above.
In any case, if a data subject believes that the processing of their Personal Data by the Data Controller violates the provisions of applicable law, they have the right to lodge a complaint with the Italian Data Protection Authority, pursuant to Article 77 of the Regulation, or to take appropriate legal action pursuant to Article 79 of the GDPR.