Processing Policy of personal data pursuant to the Regulation (UE) 2016/679 (GDPR) and pursuant to the Legislative Decree n. 196/2003 as amended by the Legislative Decree

Data controller: Computec Srl (hereinafter also referred as “Data controller” or “holder”)
Office: via C.A. Dalla Chiesa, 5 25017 – Lonato del Garda (BS) Useful contacts: privacy@computeconline.it

Data protection officer: N/A

Recipients: External managers and possible independent data controllers
Auditor and/or certification bodies; IT service providers; Judicial authority and investigative bodies.

Purposes in short and the managing of personal data for their pursuit:
Implementation of precontractual measures at the request of the interested party;
Preservation in terms of law Communication;
Sending of e-mails of promotional nature about services and activities of the holder;
IT security activities.
Data: Identifying data, contact details, accounting data, curriculum data and IT data

Rights of the data subject and arrangements for the exercise of the rights
The data subject may at any time exercise the rights stated in articles 15 et seq. of GDPR and, in the cases determined, may exercise the right to complain to the Privacy Authority for the protection of personal data.
The data subject may exercise the rights addressing to the data controller at the contact details indicated therein.

Sources of personal data collection: From the data subject; From third parties other than the data subject
IT service providers; Judicial authority and investigative bodies

The data controller hereby informs the data subject with regard to:

1)The reason why personal data is processed

The data controller gathers and / or receives:
– identifying data
– Personal data
– Contact details
– Accounting data
– Curriculum data
– IT data such as ( IP address, log and emails gathered also through the service “ work with us” displayed on the data controller’s website)

Data may also be collected from third parties, other than the data subject, such as, for example:
– recruiting and training company
– IT service providers
The data collected and / or obtained from the Data Controller shall be deemed necessary.
Failing of those makes impossible to follow up activities aimed at:
evaluating the candidate’s candidacy
managing candidates selection process in all its phases and the obligations that come from it

The data collection will only cover common data: therefore the data subject does not need to provide different ones such as those referred to in art. 9 of Regulation (EU) 679/2016 and, among others, personal data which reveal the racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature; as well as personal data that can reveal health status and sexual life.
The data we are considering must be known only for reasons related with an establishment of a working relationship, with attention to the possible belonging of the person concerned to protected categories. Personal data, especially those belonging to particular categories, if spontaneously released must be accompanied by authorization for data processing, otherwise the curriculum of the data subject will not be taken into account.
The data subject’s personal data is processed for the purposes described in the Purposes below. Each purpose meets the legal bases mentioned in art. 6 of the GDPR and / or also mentioned in art. 9 of the GDPR.

Purposes
performing of the selection procedures
inclusion in the data controller’s organizational context of the successful candidate
establishing of employment relationship

Legal basis
The performance of selection activities;
Fulfillment of specific obligations and execution of specific tasks arsing from laws, regulations or collective agreements, including corporate ones, in particular when establishing the employment relationship;
The legitimate interest of the data controller, in the correct fulfillment of the obligations arising from voluntary application rules ( es. quality standards) and fby the legislative decree. n . 231/2001

Purposes
The communication to third parties and / or recipients such as:
– recruiting and training company
– IT service providers
– control authorities (auditors, supervisory authorities, certification authorities) who supervise the fulfillment of obligations deriving from regulations voluntary application (eg quality standards) or administrative liability of organizations (Legislative Decree No. 231/2001
– subjects that perform tasks related to IT security, eg pentest

Legal basis
The performance of selection procedures;
The legitimate interest of the data controller in guaranteeing the security and confidentiality of the personal data;
The legitimate interest of the Data Controller in guaranteeing an adequate, impartial and professional management in the selection procedure, also by making use of expert selectors;
The legitimate interest of the Data Controller in correctly fulfilling the obligations arising from voluntary application rules (eg standard quality) or by Legislative Decree n. 231/2001.

Purposes
IT security activities consisting of:
– control and monitoring of hw and sw systems, applications and IT equipment used in processing the personal data; 
- control and monitoring of the services displayed on the data controller’s network and digital platforms;
- implementation of procedures for detecting and notifying personal data breaches (data breach)

Legal basis
The performance of activities related with the established relationship;
The legitimate interest of the Data Controller in correctly fulfilling the obligations arising from voluntary application (eg quality standards) or from the Legislative Decree n. 231/2001;
The legitimate interest of the Owner in guaranteeing the security and confidentiality in the personal data processing
Fulfillment of legal obligations (detection and notification of data breach events).

The data controller does not transfer the person concerned personal data abroad (non-EU countries).
They will not in any way be disseminated or disclosed to undetermined individuals who cannot be identified as third parties.

The communication concerns the categories of data whose transmission is necessary for the performance of the activities and purposes pursued by the Data Controller in managing the relationship established.
The processing of personal data does not require the consent from the person concerned when responding to legal obligations or to fulfill the obligations deriving from the relationship established. Other exclusion case derives from the current legislation, even on a voluntary basis, by the Data Controller, or even through third parties identified as data processors.

2) how personal data is processed and where and for how long it is stored

The personal data processing is carried out through paper supports or IT procedures by authorized internal personnel.
They have access to the personal data of the data subject in the terms and limits necessary for carrying out the processing activities.
The data controller periodically verifies the instruments through which the personal data of the data subject is processed and the security measures to provide a constant update.
He verifies, also via authorized data processors, that personal data is not collected, processed and stored, when unnecessary or in case the processing procedures are completed;
He verifies and guarantees the personal data’s integrity and authenticity when stored and its use for the purposes actually performed.

The data controller guarantees after verification that excessive, irrelevant or not indispensable personal data will not be used except for the possible storing of the acts or documents containing them, as provided by the law.
The data is stored in paper, computer and electronic archives, located within the European economic area, under appropriate security measures.

The data subject‘s personal data is stored for the time necessary to achieve the purposes for which they were collected and for the additional time that may be imposed or permitted by law.

In particular:

Identifying data; personal data; accounting data; commercial and professional data

the restriction of the personal data processing and other guarantees provided in particular cases:
– the erasure of personal data collected through curriculum that are submitted spontaneously, with no authorization for personal data treatment and/ or in the absence of an open position;
– the data controller interest in storing the personal data, even those released spontaneously, for the necessary time to evaluate a candidacy even for future employment relationships
– the establishment of the employment relationship
except, again, any dispute that involves an extension of the aforementioned terms, for the time necessary to achieve its purpose

IT data

Storing data time depends on the data processing needs and on the presumed and / or detected risk and on the prejudicial consequences and on the responsibilities arising from it, except for the measures to make the data anonymous or to limit its treatment.
In any case, the data must be stored (with effect from the knowledge / detection of the event of danger or data breach) for the time necessary to notify the authority guarantor of any violation of the data detected by the procedures implemented by the holder

The Data Controller will delate any personal data of the data subject when the purposes that legitimize their storage is reached.

3) Rights of the data subject

The data subject has the right to control over his personal data.
The rights are the following:
– access;
– correction;
– cancellation;
– treatment limitation;
– opposition to treatment;
– portability

In other words at any moment, without special charges and formalities the data subject is entitled to:
– having confirmation that the personal data processing is carried out by the data controller;
– accessing to his personal data and knowing the origin (when the data are not obtained directly from the data subject), the goals and the purposes of the processing, the details of the subjects they are communicated to, the period of data storing or useful criteria to determine it;
– obtaining the updating or correction of his personal data so that they are always correct;
– obtaining the cancellation of his personal data from banks databases and / or archives, including backups, among others, where they are no longer necessary for the purposes of the processing or if it is assumed to be illicit, and if these conditions are required by law, and in any case if the treatment is not justified by another equally legitimate reason;
– limiting the processing of his personal data in certain circumstances, for example when the accuracy is contested, for the period necessary for the Data Controller to verify its accuracy. The data subject must be informed, in due time, even when the suspension period has been completed or the reason for the limitation of the processing has been ceased, and therefore the limitation itself revoked;
– obtaining his personal data, if his data processing takes place on a contract base and with automated tools, in electronic format in order to transmit them to another data controller.

The data controller must proceed in this way without delay and, in any case, at the latest within one month from the time he receives the request of the data subject. The deadline can be extended by two months, if necessary, taking into account the complexity and the number of requests received. In these cases, the data controller will inform the data subject of the reasons for the extension within one month from the moment he receives the request.

4) How and when the data subject may oppose to the processing of his personal data

For reasons relating to his particular situation, the data subject may go against the processing of his personal data at any time if it is based on a legitimate interest, by sending his request to the data Controller at privacy@computeconline.it
The data subject has the right to cancel his personal data if there is no prevailing legitimate reason than the one that has given rise to his request.

5) To whom the data subject can make a claim

Except to any administrative or judicial action, if the data subject deems a violation of his personal data and of the legislation applied to the related processing, the data subject may submit a claim to the competent guarantor authority. In the event the violation takes place in another EU country, the competence to receive and to detect the claim will be under the control of authorities established therein.
Any update about this information document will be communicated to the data subject through promptly and with the adeguate methods. Moreover to the data subject will be given information on the implementation by the Data Controller of the other processing that goes beyond the purposes referred in this statement, before proceeding and in time to give his consent if necessary.