Privacy notice for applicants
Who are we and what do we do with your personal data?
The Data Controller, Santoni S.p.A. with registered office at Via Monte Napoleone 9, Milan (hereinafter also the Controller), takes the confidentiality of your personal data very seriously and strives to protect it from any potentially compromising event.
To this end, the Controller implements policies and practices regarding the collection and use of personal data and the exercise of your rights under applicable legislation. The Controller shall update personal data protection policies and practices as often as necessary and in the event of regulatory and organisational changes that may affect the processing of your personal data.
The Controller has appointed a data protection officer (DPO), whom you can contact if you have any questions about the policies and practices in place, at: privacy.santoni@legalmail.it
How and why does the Controller collect and process your personal data?
The Controller collects and/or receives data relating to you, such as:
- first name, surname;
- tax code;
- place and date of birth;
- e-mail;
- landline and/or mobile telephone number;
- address;
- CV data;
- IT data (log-on and IP address for access to the online recruitment procedure [sending CVs]);
- data relating to health status if the data subject belongs to protected categories, or in any case that may have been collected.
Personal data concerning you will be processed for the following purposes:
1) personnel recruitment and/or the start of a working relationship:
a. Purpose:
- candidate recruitment for open positions;
- the collection of applications and CVs, which may take place through: recruitment advertisements via recruitment agencies, temporary employment agencies, universities and LinkedIn;
- examination of curricula received;
- selective interviews;
- placement of the successful candidate in the organisation;
- the establishment of the working relationship.
b. Legal basis:
- performance of pre-contractual activities;
- fulfilment of specific obligations;
- performance of specific tasks arising from laws, regulations or collective agreements, including company agreements, in particular for the purposes of establishing the working relationship.
Your data may also be collected from third parties such as, but not limited to:
- employment centres;
- IT service providers;
- private organisations providing temporary employment provision, intermediation, personnel recruitment, training and outplacement support activities;
- universities.
Where applicable, the foregoing is without prejudice to the right to rectification of processed or collected data.
The data collected or in any case obtained by the Controller as a result of the selection procedure adopted for positions available within its organisation, except for data relating to your health status, which you have voluntarily provided, are considered necessary, and failure to provide such data will make it impossible for the Controller to carry out activities aimed at:
- assessing your application in the personnel selection process, which the Controller also carries out through its suppliers (third parties/recipients);
- managing the candidate recruitment process in all its stages and ensuing obligations.
2) communication to third parties and dissemination:
a. Purpose:
communication to third parties such as:
- information service providers
- personnel recruitment and training agencies;
- universities.
b. Legal basis:
- performance of pre-contractual activities;
- fulfilment of legal and/or regulatory obligations related to the activities carried out in the recruitment procedure.
The Controller will not transfer your personal data abroad (non-EU countries). Your personal data will in no way be shared or disclosed to unspecified and unidentifiable persons, including third parties.
Communication affects the categories of data whose transmission is necessary for the performance of the activities and purposes pursued by the Controller in managing the recruitment procedure. Such processing does not require the consent of the data subject in the event that the processing is carried out in order to fulfil obligations arising from the relationship established, or in the event of any other exception (in particular the Controller identifying a legitimate interest), which is expressly provided for or dependent on the rules and regulations applied by the Controller, or even through third parties identified as data processors. Where the communication involves data liable to reveal health status, the relevant processing operations will be carried out with all the necessary guarantees, including those that, if required on the basis of the risks detected, lead to the adoption of pseudonymisation, and/or data aggregation and/or encryption solutions.
3) IT security activities:
a. Purpose:
- control and monitoring of the services displayed online and on the platforms pertaining to the Controller and made available to you for sending CVs and/or for accessing open job/work positions (e.g. the forms published on the "Work with us" page of the company website);
- implementation of data breach detection and notification procedures.
b. Legal basis:
- access to the recruitment procedure;
- fulfilment of legal obligations (detection and notification of data breaches);
- legitimate interest.
How, where and for how long is your data stored?
How
Data processing is carried out by specially authorised internal staff using hard-copy or computerised procedures. These staff are allowed access to your personal data to the extent and within the limits necessary for the performance of the processing activities concerning you.
The Controller periodically checks the means by which your data are processed and the security measures in place, which must be kept up to date. The Controller also verifies, including through authorised data processors, that no unnecessary personal data or data for which the purposes no longer apply are collected, processed, archived or stored. The Controller verifies that the data are stored with a guarantee of integrity and authenticity and that they are used for the purposes of the processing actually carried out, also in view of the particular nature of the processing. The checks enable the Controller to assess the strict relevance, non-excessiveness and indispensability of the data belonging to special categories in relation to the recruitment procedure and to the relationship to be established, also with reference to the data you provide on your own initiative.
The Controller guarantees that data, also following checks, that prove to be excessive or irrelevant will not be used except for possible storage, in accordance with the law, of the document containing such data.
Where
The data are stored in hard copy, computer and electronic archives, located within the European Economic Area, and specific security measures are ensured.
For how long
Your personal data are stored for as long as necessary to perform the activities concerning you.
In particular:
a. identification data;
b. CV data;
c. data disclosing health even if spontaneously disclosed.
Duration of the recruitment procedure and in any case for a maximum of 2 years or 5 years for subjects with specific technical skills that are difficult to find on the market (e.g. footwear sector).
The foregoing is without prejudice to:
- restriction of processing and other guarantees provided for data belonging to special categories;
- the erasure of personal data collected through CVs sent voluntarily or in the absence of an open position;
- the Controller’s decision to keep the data, even those you voluntarily provided, for the time needed to assess your application also for future employment/work relationships;
- the establishment of the working relationship.
Save for any disputes, if it entails an extension of the aforementioned time limits, for the time necessary to pursue the relevant purpose.
d. IT data (system and network access logs and/or IP addresses)
The duration of the storage depends on the presumed and/or detected risk and the detrimental consequences thereof, without prejudice to measures to render the data anonymous or to restrict its processing.
In any event, the data must be retained (starting from the knowledge/detection of the danger or data breach) for the time necessary to notify the supervisory authority of the data breach detected through the procedures implemented by the Controller and in any event to remedy it.
Once all the purposes justifying the storage of your personal data have been fulfilled, the Controller will delete the data or make them anonymous.
What are your rights?
The rights granted to you allow you to be in control of your data at all times. Your rights are those of:
- access;
- rectification;
- withdrawal of consent;
- erasure;
- restriction of processing;
- objection to processing;
- portability.
Essentially, you can do the following at any time, free of charge and without any particular requirements or formalities:
- obtain confirmation of the processing carried out by the Controller;
- access your personal data and know its origin (when the data is not obtained from you directly), the purposes and aims of the processing, information about the persons to whom it is communicated, the storage period of your data or the criteria used to determine it;
- update or rectify your personal data so that it is always accurate and correct;
- withdraw consent at any time if this constitutes the basis for the processing. The withdrawal of consent shall not in any case affect the lawfulness of processing based on consent before its withdrawal;
- erase your personal data from databases and/or archives, including backup archives, if for example they are no longer necessary for the purposes of the processing or if this is assumed to be unlawful, provided that the conditions set forth in law are met; and in any case if the processing is not justified by another equally legitimate reason;
- restrict the processing of your personal data in certain circumstances, for example where you have challenged its accuracy, for the period necessary for the Controller to verify its accuracy. You must also be promptly informed of when the suspension period has expired or the cause of the restriction of processing has ceased to exist, and thus the restriction itself revoked;
- obtain your personal data, if they are processed on the basis of a contract and by automated means, in electronic format also for the purpose of transmitting them to another controller.
The Controller shall do the above without delay and, in any case, no later than one month after receiving your request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests received. In such cases, the Controller will inform you within one month of receiving your request and will inform you of the reasons for the extension.
For any further information and to submit your enquiry, please contact the Controller at privacy@santonishoesit.com
How and when can you object to the processing of your personal data?
For reasons relating to your particular situation, you can object at any time to the processing of your personal data if this is based on a legitimate interest, by sending your request to the Controller's email address privacy@santonishoesit.com
You have the right to erasure of your personal data if there is no legitimate reason overriding the reason for your request.
Who can you complain to?
Without prejudice to any other administrative or judicial action, you may lodge a complaint with the data protection authority, unless you reside or work in another Member State. In the latter case, or where the breach of data protection law takes place in another EU country, the supervisory authorities established in said country are competent.
Any updates to this policy will be communicated to you in a timely manner and by appropriate means, and you will also be notified of such updates before they are made and in time to give your consent if required.
Last updated May 2022