Information on the processing of personal data of Applicants
Fondazione Milano Cortina 2026, with registered office in Milan, Piazza Tre Torri 3, C.F. 97866790153, VAT #11199200962, as the Data Controller (hereinafter, "Controller"), informs the Applicants, pursuant to EU Regulation 2016/679 ("GDPR") and current national legislation on the protection of personal data, that their data will be processed according to the methods and for the purposes hereinafter indicated.
1. Object of the processing
The Controller processes the data communicated by the Applicant (or communicated by third parties, such as companies in charge of the selection and/or employment agencies) during the selection phase and during the job interview with the Controller (hereinafter, "Data" or "Personal Data"), in particular the following categories:
· identification data such as, by way of example, name, surname, address of residence and domicile, place and date of birth, e-mail, telephone number, tax code, data contained in the CV, employment data, salary data, educational and professional path data, etc.;
· evaluation data such as, by way of example, notations, evaluations, etc., possibly collected during the interviews and/or provided by third parties such as employment agencies and/or selection companies;
· particular/sensitive data relating to the state of health such as, by way of example, data for verifying suitability for certain jobs, data relating to belonging to protected categories, where necessary for the activity applied for.
2. Purposes and legal bases of processing
The Applicants’ Personal Data can be processed without their prior consent for the following purposes and legal bases:
· the fulfillment of pre-contractual commitments, and in particular:
- for the correct execution of the personnel selection process (for example, management of applications);
- to allow the application for a specific job position;
- the possible fulfillment of pre-contractual and contractual obligations required for the establishment of the employment relationship.
· for the Controller to comply with legal obligations, such as:
- compliance with the legislation on the recruitment of the so-called Protected categories;
- the fulfillment of specific obligations established by law, company regulations, collective agreements, national and community regulations as well as deriving from provisions issued by authorities legitimated by law.
· the pursuit of a legitimate interest of the Controller and, in particular, for the exercise of the rights of the Controller in court and the management of litigation, as well as the prevention and repression of unlawful acts: the interest of the Data Controller corresponds to the constitutionally guaranteed right to initiate proceedings (art. 24 of the Italian Constitution) and, as such, is socially recognized as prevailing over the interests of the data subject.
3. Means of Processing
The processing of Applicants’ Data is carried out, both on paper and electronically, by means of the operations of collection, registration, organization, conservation, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and data destruction. The Personal Data of the Applicant are subject to electronic and possibly automated processing. Applicant's Personal Data are protected in a way that minimizes the risk of destruction, loss (including accidental loss), unauthorized access/use, or use incompatible with the initial purpose of collection, thanks to technical and organizational security measures implemented by the Controller.
4. Data Storage period
The Controller processes the Personal Data for the time necessary to fulfill the aforementioned purposes and in any case for no more than 24 months from collection if an employment relationship is not established or if Fondazione does not receive an updated CV within the next 15 days. In such cases, the system will delete the information and, at the same time, send the candidate a notice of cancellation. If, in the event of an employment relationship being established, for 10 years from its termination.
5. Provision of Data
The provision of Personal Data is required for the start and continuation of the selection phase and, possibly, to establish the employment relationship.
6. Access to Access
Applicants’ Data may be made accessible for the above purposes to:
· employees and/or collaborators of the Controller, in their capacity as appointed and/or internal data processors and/or system administrators;
· third-party companies and other subjects (for example, labor consultants, etc.) who carry out outsourced activities on behalf of the Controller and who will process the Data in their capacity as data processors.
The updated list of internal/ data processors and system administrators is kept at the Data Controller’s offices.
7. Recipient categories
The Applicants’ Personal Data may be communicated, without their prior consent, for the aforementioned purposes to Public Administrations or competent authorities, as well as to third parties such as selection companies and/or employment agencies who will process the Data upon request as independent data controllers.
8. Transfer of Data
The Applicants’ Data will not be disclosed but may be transferred for the aforementioned purposes to non-EU countries. To ensure an adequate level of protection of Personal Data, the transfer will take place by virtue of the adequacy decisions approved by the European Commission or the adoption, by the Controller, of the Standard Contractual Clauses drawn up by the European Commission. The list of non-European countries to which the Data is transferred is available at the Controller’s office.
1. Rights of the Data Subject
The Controller informs that, as data subject, according to limitations established by law, any Applicant has the right to:
· obtain confirmation on the existence of their Personal Data, even before registration, and that such Data are available in an intelligible form;
· obtain indication and, where appropriate, copy of: a) the source and category of Personal Data; b) the logic applied in case of processing carried out electronically; c) the purposes and methods of processing; d) the identification details of the Controller and processors; e) the persons or categories of persons to whom the Data may be communicated or who may become aware about, in particular in case of recipients in third countries or international organizations; e) when possible, of the period for which the Data will be stored or the criteria used to determine that period;
· obtain, with no delay, the updating and rectification of inaccurate Data or, when relevant for the data subject, the integration of incomplete Data;
· withdraw their consents at any time, easily, without hindrance, through the same channels used for the data provision, if possible;
· obtain the erasure, transformation into anonymous form or blocking of Data: a) processed unlawfully; b) no longer necessary in relation to the purposes for which they were collected or subsequently processed; c) in case of withdraw of the consent on which the processing is based and in case there is no other legal basis, d) in case of opposition to processing in the absence of any overriding legitimate reason to carry on the processing; e) for the fulfillment of a legal obligation; f) in the case of Data referring to minors. The Controller can refuse the erasure only in the case of a) exercise of the right to freedom of expression and information; b) fulfillment of a legal obligation, execution of a task carried out in the public interest or exercise of public authority; c) reasons of public health interest; d) archiving in the public interest, scientific or historical research or for statistical purposes; e) exercise of a right in court;
· obtain the restriction of the processing in the case of a) objection to the accuracy of the Personal Data; b) unlawful processing of the Controller to prevent its erasure; c) exercise of personal right in court; d) verification of the possible prevalence of the legitimate reasons of the Controller with respect to those of the data subject;
· in case of processing carried out by automatic means, receive without hindrance and in a structured, commonly used, and readable format, the Personal Data in order to transfer them to another controller or - if technically feasible - to obtain direct transmission by the Controller to another one;
· object, in whole or in part, for legitimate reasons connected to personal situations, to the processing of their Personal Data;
· lodge a complaint with the Supervisory Authority.
In the cases referred to above, where necessary, the third parties to whom the Applicants’ Personal Data are communicated will be informed by Controller of any exercise by the Applicant of their rights, except for specific cases (for example, when such communication is proven impossible or involves a use of means manifestly disproportionate to the protected right).
2. Methods of exercising rights
The Applicants may at any time exercise their rights by:
• sending a registered letter with return receipt to the Controller's address;
• sending an email to [email protected].
Milan, January 2023
Fondazione Milano Cortina 2026