PURSUANT TO EU REGULATION 2016/679
Data Processor and Data Protection Officer (DPO)
The data controller is the person who defines the purposes of the processing of personal data and, after having collected the data, "uses" the data in compliance with the principles of the GDPR.
Legal Basis and Processing Methods
The legal basis for the processing is the performance of contractual and pre-contractual measures aimed at establishing a working relationship between the Data Subject and the Controller. Aware of the importance of your data, we will ensure that we process it using electronic tools and/or paper media, taking all the appropriate security measures to protect it.
Your data must be collected and "used" to allow us to correctly assess your studies and work experience for recruiting purposes.
Personal data will be processed by Finwave and the persons instructed to do so by Finwave (e.g. persons in charge of IT systems, the administrative department, the HR department).
Your personal data may be disclosed to third parties only where necessary for the performance of activities aimed at establishing a working relationship between you and Finwave.
The table below not only summarises the data to be processed and the purposes for which it will be processed, but also explains who may come into contact with your data.
Data processing purposes
Personal Data Categories
Recruitment and selection related to a possible hiring process
• Biographical data including household information (e.g. name, surname, tax code)
• Contact data (e.g. residence address, telephone numbers and e-mail address)
• Data generally present on CVs (e.g. academic education, grades obtained, awards, publications)
• Special Categories of Personal Data (e.g. information on the candidate's health conditions) and legal data (e.g. information on offences and convictions)
• employees to whom your application was sent and who, by virtue of their role or position, process your data for recruitment purposes
• employees who, by virtue of their role or position, process your data for recruitment purposes
• service providers specifically appointed as data processors;
• Autonomous data controllers by virtue of
Special categories of personal data
The data requested is only the data exclusively required for the specific recruiting purpose. The data that may be requested and/or disclosed - including spontaneously - to the Data Controller may also include:
- data belonging to the special categories of data referred to in Article 9 of the GDPR: this data will only be processed to the extent that it is strictly necessary to fulfil the obligations and exercise the Data Controller's or the Data Subject's specific rights relating to labour law, social security and social protection, insofar as authorised by EU or Member State law or by a collective agreement under Member State law, subject to appropriate safeguards for the fundamental rights and interests of the Data Subject;
and where necessary and strictly relevant to the tasks or job functions to be performed
- personal data contained within the criminal record certificate and falling within the category of legal data referred to in Article 10 of the GDPR: this data will be processed, subject to the adoption of specific safeguards and limited to the extent strictly necessary in relation to the purposes of verifying the requisites of integrity and reliability with regard to the specific task or work function assigned, only and to the extent strictly necessary for the fulfilment of duties and the exercise of rights by the data controller or the Data Subject in the field of employment law, social security and social protection, insofar as authorised by EU or Member State law or by a collective agreement under the law of the Member States, in the presence of appropriate safeguards for the fundamental rights and interests of the Data Subject or for the purpose of verifying or ascertaining the requirements of good standing, subjective requirements and disqualification requirements in cases provided for by law or regulations.
In any case, if personal data is provided that is irrelevant to the purpose pursued, it will be immediately deleted and, under no circumstances, taken into account for the performance of recruiting activities.
Transfer of personal data
Your data will not be transferred outside the EU. Should it be necessary to transfer your personal data outside the EU, this will only take place for the purposes listed above, and only to countries that provide adequate guarantees for the protection of personal data or by adopting the appropriate technical, legal and organisational security measures provided by the GDPR.
The data you provide us with will be processed according to the principles of lawfulness, transparency and fairness, in accordance with the company's security policies. We guarantee an “adequate” level of security in accordance with the GDPR and the relevant national legislation, but above all the security of your personal data.
Should there be a particular risk of breach, we will notify you promptly.
Rights of the Data Subject
In addition to guaranteeing the right to lodge a claim with the Supervisory Authority, which for Italy is the Italian Data Protection Authority, the GDPR grants you the following rights:
- Right of access (Article 15 GDPR): Possibility for the Data Subject to obtain from the Controller confirmation as to whether or not his or her personal data is being processed and to obtain further information, including the purposes of the processing, the categories of personal data and the recipients.
- Right to rectification (Article 16 GDPR): Possibility for the Data Subject to obtain from the Controller the rectification of inaccurate personal data.
- Right to be forgotten (Article 17 GDPR): Possibility for the data subject to request the deletion of his or her personal data if one of the reasons provided for in the article exists, including: revocation of consent, unlawful processing and fulfilment of a legal obligation.
- Right to restriction of processing (Article 18 GDPR): Possibility for the data subject to obtain the restriction of processing, which can be configured as a total or partial suspension of the processing of the data or also, in some cases, as a blocking of the same. This can only be requested in exceptional cases expressly determined by the rule, including the period necessary to establish the accuracy of personal data, unlawful processing, the exercise of a right in a court of law.
- Right to data portability (Article 20 GDPR): The Data Subject has the right to receive, in a structured, commonly used and machine-readable format, his or her personal data provided by a Data Controller and the right to transfer such data to another Data Controller.
- Right to object (Article 21 GDPR): Possibility for the Data Subject for reasons relating to his or her particular situation to object to the processing of his or her data pursuant to Article 6, paragraph 1, letters e) and f) and/or for direct marketing purposes.
- Right not to be subject to automated decision-making (Article 22 GDPR): Possibility for the data subject to object to processes based solely on automated processing if they have legal effects on him or her or significantly affect him or her.
The Data Controller does not use automated decision-making processes capable of producing legal effects on the data subjects.
- Right to lodge a claim with the competent supervisory authority (Articles 13 - 77 GDPR) and right to an effective legal remedy (Article 79 GDPR). Possibility for Data Subjects to protect their rights and interests at the competent fora, including the courts.
If you have any doubts or need clarification, or if you wish to exercise your rights, please contact us at the following address: firstname.lastname@example.org
Personal Data Retention Times
Depending on how you submit your application, your data will be stored as follows:
Paper/manual (e.g. recruiting events, etc.)
maximum 24 months
Job application through the recruitment platform in use
ELECTRONIC on the platform in use
maximum 24 months
Applying for open positions on the platform in use
ELECTRONIC on the platform in use
maximum 24 months
After the retention period has expired, your personal data will be deleted if stored on paper. In other circumstances you will be asked, through the recruiting platform, whether you wish to keep the data on our database. If you reply in the negative or if no reply is received after 7 days, the data will be automatically deleted.