Privacy notice on the processing of personal data – Job applicants

(Arts. 13 and 14, Regulation EU 2016/679 – GDPR)

This specific privacy notice is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 ("GDPR") to individuals who intend to submit their curriculum vitae (CV) to Coind sc via the “Lavora con noi” form or by unsolicited submission.

1. Data Controller

The Data Controller is Coind sc, with registered office at Via Saliceto 22/H - 40013 Castel Maggiore (BO), Tax Code and VAT No. 00501861203. For any privacyrelated matters, the data subject may contact the Controller at the email address for the “Lavora con noi” section: cresciconnoi@coind.it.

2. Categories of Personal

Data Processed Processing concerns the personal data provided through the submission of the CV or form completion, including:

  • Common data: personal details, contact data (email, telephone), academic background, employment history, language and IT skills, references.
  • Special categories of data (Art. 9 GDPR): the CV submission may involve processing data revealing health status (e.g., membership of protected categories). The Controller invites candidates to limit such information to what is strictly necessary for employment relationship establishment and for compliance with legal obligations (e.g., reserved quotas).
  • Thirdparty data: should the candidate include thirdparty data (e.g., references), the candidate warrants to have obtained prior consent from the third party for such disclosure.

3. Purposes and Legal Basis of the Processing

Data will be processed solely for the following purposes:

  1. Recruitment and selection: assessment of the candidate’s profile, aptitudes and professional skills for potential employment or collaboration.
    • Legal basis: measures taken at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR).
  1. Compliance with legal obligations: in particular, verification of statutory requirements and application of contractual or fiscal incentives.
    • Legal basis: legal obligation incumbent on the Controller (Art. 6(1)(c) GDPR).
  1. Defence in legal proceedings: establishment, exercise or defence of the Controller’s rights in outofcourt or judicial proceedings.
    • Legal basis: legitimate interest of the Controller in defending its rights (Art. 6(1)(f) GDPR).

4. Nature of Provision

Provision of data is optional; however, failure to provide the required data (or minimum data necessary for identification and profile evaluation) will render the Controller unable to consider the application or proceed with selection stages.

5. Processing Methods and Security

Processing will be carried out by means of both paper and electronic/telematic instruments, in compliance with the purposes indicated and ensuring data security and confidentiality. The Controller implements appropriate technical and organisational measures to prevent loss, unlawful or incorrect use and unauthorised access to the data.

6. Recipients and Transfers

Personal data will not be disseminated but may be disclosed to:

  • Authorised employees (HR, IT, functional managers involved in the position);
  • External companies or professionals engaged for recruitment services, employment consultancy or IT maintenance, appointed as Data Processors under Art. 28 GDPR;
  • Competent authorities for legal obligations.

Data are stored on servers located within the European Union. Should transfer to nonEU countries become necessary, the Controller will ensure adoption of standard contractual clauses or other adequate safeguards pursuant to Chapter V GDPR.

7. Retention Period

In compliance with the dataminimisation and storagelimitation principles (Art. 5(1)(e) GDPR), data will be retained for a maximum period of 24 months from receipt or last update provided by the candidate. This retention period is considered proportionate for recruitment needs and future selection processes. At the end of this period, data will be deleted or irreversibly anonymised, except where an employment relationship is established.

8. Data Subject Rights

At any time, the data subject may exercise the rights under Arts. 15 et seq. GDPR:

  1. Access: obtain confirmation of whether data are processed and receive a copy;
  2. Rectification: request correction or update of inaccurate data;
  3. Erasure: request removal of data if no longer necessary or upon consent withdrawal;
  4. Restriction: request restriction of processing in certain cases;
  5. Objection: object to processing based on legitimate interests;
  6. Portability: receive personal data in a structured, commonly used and machinereadable format.

Requests shall be sent by email to: cresciconnoi@coind.it. The data subject also has the right to lodge a complaint with the Data Protection Authority (www.garanteprivacy.it).