Clicca qui per leggere la versione italiana
Information pursuant to articles 13 and 14 of EU Regulation 2016/679 for the protection of personal data (GDPR)
Pursuant to Articles 13 and 14 of EU Regulation 2016/679 (hereinafter "GDPR"), LUISA VIA ROMA S.p.A. (hereinafter "LUISAVIAROMA" or the "Data Controller") - with registered office in Via Benedetto Varchi, 61, 50132 Firenze, Italia -, in the capacity of Data Controller of personal data, represented by its pro tempore managing director, informs that your personal data will be processed by LUISAVIAROMA itself through manual processing or electronic or automated, computerized or telematic tools, with principles strictly related to the purposes listed below and so as to guarantee security and confidentiality of said data.
Identity and contact details of the Data Controller and the Data Protection Officer
The Data Controller is LUISA VIA ROMA S.p.A., represented by its pro tempore managing director, with registered office in Via Benedetto Varchi, 61, 50132 Firenze, Italia.
The Data Controller has appointed a Data Protection Officer whom you can contact in order to exercise your rights or to obtain information regarding same data and information contained in this document, by writing to LUISA VIA ROMA S.p.A., Via Benedetto Varchi , 61, 50132 Firenze, Italia or by sending an email to email@example.com.
Categories of data obtained from subjects other than the data subject
In order to pursue purposes indicated in the paragraph “Purpose and lawfulness of the processing”, LUISAVIAROMA processes all categories of personal data either through direct conferment by the data subject (Article 13) or by recruiting companies (Article 14).
Sources of personal data
Personal data is collected through direct provision by the data subject (Article 13) or by recruiting companies (Article 14).
Purpose and lawfulness of the processing
Your personal data are processed by the Data Controller pursuant to Article 6 GDPR. Specific processing purposes and their legal bases are as follows:
Legal basis of the processing (and purpose)
- Personnel selection aimed at stipulating an employment contract. (Purpose: Execution of a contract or execution of pre-contractual measures.)
- Backup management. (Purpose: Pursuit of the legitimate interest of the data controller or third parties.)
Nature of provision and consequences of refusal
The provision of data is mandatory for the fulfillment of pre-contractual obligations. Any refusal to provide mandatory data will therefore result in the objective impossibility to pursue the processing purposes referred to in the section “Purpose and lawfulness of processing” and “Legal basis of processing (and purpose)”.
In the event that particular data are present in the curriculum pursuant to Article 9 GDPR, the Data Controller will refrain from using such data unless they concern any health data that reveal belonging to protected categories that will be taken into consideration only in the case of searches for specific personnel. In any case, only strictly relevant information will be processed and limited to what is necessary for the possible establishment of the employment relationship. It is recalled that particular data are identified as those which reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data intended to uniquely identify a natural person, data relating to the health or sexual life or sexual orientation of the person.
Categories of personal data recipients
The personal data provided may be processed by the following categories of subjects as Data Processors specifically appointed by the Data Controller, pursuant to Article 28 GDPR:
• Support providers (such as for the management / conservation of paper material).
• Support providers for the supply / maintenance of IT systems.
• Cloud application providers for personnel selection management.
You have the possibility to request from LUISAVIAROMA the list of the data processors involved in these purposes through the communication methods found in the section "Identity and contact details of Data Controller and Data Protection Officers".
The data will also be processed by persons specifically authorized for processing by the Data Controller, pursuant to the GDPR, such as employees of LUISAVIAROMA or administered by the same, interns and collaborators, following specific instructions given by the Data Controller.
Personal data processed by LUISAVIAROMA shall not be subject to dissemination.
Extra EU transfers
To pursue above processing purposes your personal data may be transferred to above recipients within Italy and abroad, even outside the European Union (EU) as some sub-managers pursuant to Article 28 GDPR of the company that provides cloud applications for the management of personnel selection campaigns are based outside the European Union.
For these sub-processors, the Data Processor has used the new standard clauses relating to data protection adopted by the European Commission (Standard Contractual Clauses) which provide adequate guarantees pursuant to Article 46 GDPR and provide for additional measures to be taken to ensure compliance of the transfer of personal data to third countries. Furthermore, the Data Processor has carried out an impact assessment (Transfer Impact Assessment) for these transfers, which has been acquired by the Data Controller. These guarantees and the process of evaluating these guarantees on data transfer, ensure compliance with the data protection requirements and the rights of data subjects adequate for processing within the Union, including the availability of enforceable rights of data subjects and of effective remedies, including effective administrative or judicial redress and the request for compensation, in the Union or in a third country. To obtain a copy of your data, to get information about the adequate guarantees and to know the place where the data you provided have been made available, you can contact the Data Controller, at the following email address: firstname.lastname@example.org.
Personal data retention period
Personal data processed by LUISAVIAROMA will be kept for the period of time needed for the management of research and personnel selection.
Once these terms have expired, your personal data will be anonymized or deleted, unless needed to be preserved for different purposes provided for by express provision of law.
Below, the details of the duration of the data retention period for the purposes described above, or the criteria used to determine this period (particular data are indicated in italics):
Purpose: Personnel selection aimed at stipulating an employment contract
- Personal data category: Name, address or other elements of personal identification, email, telephone number, professional experience, studies and culture, photography and any other data that may be present on the curriculum vitae (resume, CV). Data that belongs to a protected category.
- Retention period: The data will be kept only for the period of management of the research and selection of personnel.
Purpose: Backup management.
- Personal data category: All data relating to candidates present in the Company's IT systems.
- Retention period: Ten years and six months from the closure of the business or greater in the presence of any disputes.
Automated decision-making process
For the pursuit of above processing purposes, no decision is made exclusively based on automated processing that produces legal effects concerning you or which affects you in a similarly significant way.
Rights of the data subject
Pursuant to GDPR, data subjects are granted the following rights which you may exercise vis-à-vis LUISAVIAROMA:
- access to your personal data and confirmation as to whether or not personal data related to you are being processed, including for the purposes of being aware of processing and to check that processing is lawful as well as correct and updated. In this case, you will be able to obtain access to your personal data and information, in particular to information relating to processing purposes, categories of personal data concerned, recipients or categories of recipients to whom personal data have been or will be disclosed, retention period, etc.;
- rectification of inaccurate personal data concerning you as well as integration of same personal data where deemed incomplete with regard to processing purposes. During said period Data Controller undertakes not to indicate personal data as certain or final, especially to third parties;
- deletion of personal data concerning you, where said data are no longer needed with respect to purposes for which they were collected. Please note that deletion is subject to valid reasons. If the Data Controller has disclosed personal data to other Data Controllers or Data Managers it is obliged to cancel said personal data, taking reasonable measures including technical measures to inform other data controllers who are processing said personal data to delete any link, copy or reproduction thereof (so-called right “to be forgotten”). Deletion may not be performed if processing is needed inter alia to comply to legal obligations or to execute tasks in the public interest and to assess, exercise or defense a right in judicial proceedings;
- Processing restrictions. Processing restrictions refers to inter alia the opportunity to transfer processed data to a no longer accessible system for storage purposes only. This does not mean that personal data have been deleted but that the Data Controller must avoid processing them in the period of relevant blocking. This would be particularly needed in the event that persistent use of inaccurate and unlawfully stored data could harm you. In such a case you may object to the deletion of your personal data and instead request that their processing be limited. In the event of data rectification or objection, you may request that the processing of said personal data be restricted during the period in which the Data Controller is rectifying them or considering the objection request. A further case would be that in which personal data are needed for you to assess, exercise or defend a right in court, but the Data Controller no longer requires
Above rights may be exercised by contacting the Data Protection Officer (DPO), by means of a request via registered mail to the following address: Via Benedetto Varchi, 61, 50132 Firenze, Italia or by e-mail to: email@example.com
You may also via above-mentioned contact details report to the DPO any circumstances or events from which a data breach (i.e. any security breach capable of accidentally or unlawfully causing destruction, loss, alteration, unauthorized disclosure or access to data) may arise in order to allow immediate assessment and where necessary appropriate actions aimed at countering such an event.
Please note that you are entitled to lodge a complaint with the Italian Data Protection Authority or with another Supervisory Authority pursuant to Article 13, par. 2, letter d) GDPR.
Changes to this Policy
This information may be subject to changes. It is therefore advisable to regularly check it for updates.
Information updated on 10 October 2022.
 ICT management of business continuity and controls on the availability of information.