Fastcode SpA - Privacy notice on the processing of personal data of job applicants

Pursuant to the current legislation on the protection of personal data (the "Privacy Legislation") including EU Regulation 2016/679 (the "GDPR"), as well as Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 ("Privacy Code"), Fastcode S.p.A. in its capacity as data controller (the "Company" or the "Data Controller" or "Fastcode"), hereby informs job applicants (the "Data Subjects" or the "Candidates" or, in the singular, the "Data Subject" or the "Candidate") who have forwarded their curriculum vitae (the "CV") by e-mail and/or through the portal available on the Company's website, that the personal data included in the CVs will be processed in strict compliance with the Privacy Legislation, for the purposes and in the manner described in this notice (the "Notice").

1. WHO IS THE DATA CONTROLLER?
The Data Controller is Fastcode S.p.A., with registered office in Modena (MO), Strada Vignolese 1175/6, 41126, VAT No. 03894840366, available at the following e-mail address info@fastcode.it. Fastcode is subject to the management and coordination of TXT e-solutions S.p.A., the holding company of TXT Group (the “TXT Group”).

2. WHICH PERSONAL DATA DO WE COLLECT?
The Data Controller processes the following personal data provided through the CV during the selection phase and at the job interview:

Identification and contact data, such as: name, address or other elements of personal identification; telephone and e-mail contact data;
educational and professional background data, such as: education, professional experience, current position or role in the company, last remuneration received, if available;
further personal data possibly included in the CV transmitted to the Company;
data allowing connection to the recruiting form, such as: User ID, connection data.

The Company does not process data of a particular category (such as, by way of example, data disclosing health or affiliation to a trade union association) which, if contained in the CV, will be immediately deleted by the Company itself.

Should the Candidate belong to a legally protected category (e.g. L. 68/99), he/she shall provide information disclosing his/her state of health, which will be processed in compliance with the provisions set forth by Article 9 of the GDPR and, in general, by the Privacy Law.

It should be noted that, where deemed necessary in relation to the specific position, further information may be requested for the purpose of verifying any conflicts of interest that may arise in the context of the activities envisaged by the job.

3. WHO PROVIDES US WITH PERSONAL DATA?
Personal data not directly collected by the Controller from Candidates are communicated to the Company and/or collected by or from:
- head hunters and specialised recruitment companies;
- other TXT Group companies;
- Universities, schools, educational institutions, training institutions or organizations with which the Data Controller collaborates.

The Data Controller also informs Candidates that their personal data will not be disclosed to third parties and will not be disseminated.

4. FOR WHICH PURPOSES DO WE PROCESS PERSONAL DATA AND ON WHICH LEGAL BASIS DOES SUCH PROCESSING TAKE PLACE?
The Data Controller informs the Data Subjects that the personal data acquired by the Company through the CV and/or collected from correspondence with Candidates and/or through interviews, as well as the personal data communicated to the latter pursuant to previous paragraph 3 of this Privacy Notice, shall be processed, electronically and physically, for the following purposes (the "Purposes"):

Case A

Recruiting and personnel selection and/or management of (i) spontaneous requests for recruitment or evaluation of their own professional profile (ii) requests as a result of vacancies opened by the Company via the website and/or linkedin.

Art. 6(1)(b) of the GDPR: execution of pre-contractual measures taken at the request of the Data Subject himself.

Personal data will be stored for a limited period of time, strictly commensurate with the purpose for which it was collected and in accordance with applicable legal or regulatory provisions.

Specifically, Candidates' personal data will be stored and processed for a period not exceeding 24 months following its collection by the Data Controller (the 'Retention Period').

In the event of a convocation for a selection process that does not result in placement, Candidates' personal data may be retained for a maximum period of 24 months, exclusively for recruitment and selection purposes for other professional opportunities.

At the end of the Retention Period, the Candidates' personal data will be cancelled, except in cases where further legitimate interests of the Data Controller and/or legal obligations arising from the possible establishment of the employment relationship as well as legal obligations make it necessary, after minimisation, to retain them.

The transmission of personal data via its own CV is not mandatory, but is necessary to carry out the selection process.

Failure to provide the aforementioned personal data may therefore entail the impossibility for the Company to follow up the selection process and the possible establishment of an employment relationship.

In any case, except in cases where the selection process is addressed to Candidates belonging to legally protected categories, the Company invites all those who intend to submit their candidature not to provide data of a special category as defined by the GDPR (such as, but not limited to, data concerning health status, political opinions, religious beliefs, judicial data or data concerning one's racial and ethnic origins).

Handling of any requests for information sent through the form available on Company's website at the e-mail address: info@fastcode.it

Art. 6(1)(b) of the GDPR: execution of pre-contractual measures taken at the request of the Data Subject himself.

Personal data will be stored for a limited period of time, strictly commensurate with the purpose for which it was collected and in accordance with applicable legal or regulatory provisions.

Specifically, Candidates' personal data will be stored and processed for a period not exceeding 24 months following its collection by the Data Controller (the 'Retention Period').

The transmission of personal data via its own CV is not mandatory, but is necessary to carry out the selection process.

Evaluation of applications submitted as part of the selection process of an individual belonging to a legally protected category pursuant to Law 68/99.

Art. 9(2)(b) of the GDPR: necessity to comply with the obligations and exercise the specific rights of the Data Controller or the Data Subject in connection with employment law.

Personal data will be stored for a limited period of time, strictly commensurate with the purpose for which it was collected and in accordance with applicable legal or regulatory provisions.

Specifically, Candidates' personal data will be stored and processed for a period not exceeding 24 months following its collection by the Data Controller (the 'Retention Period').

The transmission of personal data via its own CV is not mandatory, but is necessary to carry out the selection process.

Establishment, exercise or defence of a right in judicial proceedings.

Art. 6(1)(f) of the GDPR: legitimate interest of the Data Controller relating to the right of defence and the exercise of its rights or of a third party

Personal data will be stored for a limited period of time, strictly commensurate with the purpose for which it was collected and in accordance with applicable legal or regulatory provisions.

Specifically, Candidates' personal data will be stored and processed for a period not exceeding 24 months following its collection by the Data Controller (the 'Retention Period').

The transmission of personal data via its own CV is not mandatory, but is necessary to carry out the selection process.

Whenever the legal basis for the processing is the legitimate interest of the Data Controller, the latter warrants that it has previously carried out an assessment (“balancing test”) aimed at ensuring the proportionality of the processing in order that the rights and freedoms of Data Subjects are not adversely affected, taking into account their reasonable expectations in relation to the specific processing activity performed.

Data Subjects may request further information on the above evaluation by sending an e-mail to the following address: info@fastcode.it.

The Data Controller further informs the Data Subject that he/she has the possibility to object, at any time, to the processing of his/her personal data carried out on the basis of the legitimate interests of the Company.

In the event that the Company intends to use personal data for any other purpose incompatible with the Purposes for which such personal data were originally collected or authorised, the Company shall previously inform the Data Subject and, where required, request his/her consent for additional processing activities.

5. HOW DO WE PROCESS PERSONAL DATA?
Regarding the aforementioned Purposes, the processing of personal data may consist in the activities indicated in Article 4(1)(2) of the GDPR, namely: collection, recording, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, interconnection, deletion and destruction of personal data.

Moreover, the personal data of Data Subjects will be:
- processed in accordance with the principles of lawfulness, fairness and transparency;
- collected for the legitimate Purposes identified above;
- adequate, relevant and limited to the extent necessary for the Purposes for which they are processed;
- stored in a manner permitting the Data Subject's identification for a period of time not exceeding the achievement of the Purposes and better defined in paragraph 4 above;
- processed in such a way as to ensure adequate security against the risk of destruction, loss, modification, disclosure or unauthorised access through technical and organisational security measures.

The processing may be carried out either by manual, computerised or telematic means with logic strictly related to the Purposes and, in any case, in such a way as to ensure the security and confidentiality of the data themselves, in addition to compliance with the specific obligations enshrined in the Privacy Legislation from time to time in force and applicable.

6. TO WHOM DO WE DISCLOSE PERSONAL DATA?
The personal data of the Candidates will be processed by the employees and collaborators of the Company that are specifically designated as persons authorised to process such data pursuant to Article 29 GDPR and 2-quaterdecies of the Privacy Code, where necessary for the pursuit of the Purposes referred to in paragraph 4 above of this Privacy Notice.

Furthermore, the Data Controller informs the Candidates that their personal data may be shared for the pursuit of the Purposes with further recipients or categories of recipients, in their capacity of autonomous data controllers or, where necessary, data processors specifically selected and appointed pursuant to Article 28 GDPR, including but not limited to:
- TXT Group companies;
- specially appointed service providers engaged in personnel recruiting, selection and evaluation activities;
- service providers specifically appointed for the management and/or maintenance of the Company's websites and the electronic and IT tools used by the Company and/or the other companies of the TXT Group.

Candidates' personal data may also be communicated to third parties in the following cases:
(i) when communication is required by applicable laws and regulations in respect of legitimate third party recipients of communications, such as authorities and public bodies that process your data as autonomous data controllers for their relevant institutional purposes;
(ii) in the event of any extraordinary corporate operation (e.g. mergers, acquisitions, transfer of business, etc.).

The full list of recipients of personal data of the Data Subjects, including further details on the location of the recipients themselves, is kept at Data Controller's head office and is made available upon request to be transmitted to the contact details indicated in paragraph 8 below.

7. DO WE TRANSFER PERSONAL DATA TO COUNTRIES OUTSIDE THE EU?
Personal data will be managed and stored on Data Controller's servers located within the European Union.

As part of an international group, Fastcode informs the Data Subjects that, in order to process the personal data of the Data Subjects for the Purposes pursuant to paragraph 4 hereinabove, some personal data may be transferred to TXT Group companies based outside the European Union (among the countries, we mention: Switzerland, United Kingdom, United States of America).

Considering that some of the aforementioned countries do not guarantee an adequate level of protection of personal data compared to the one provided in the European Union, the Data Controller has taken steps to ensure that the transfer of Data Subjects' personal data to such countries occurs exclusively in compliance with the conditions set forth under Articles 45/49 of the GDPR and, in particular:
- in Switzerland: COMMISSION DECISION of July 26, 2000
- in the United Kingdom: COMMISSION DECISION of June 28, 2021
- in the United States: COMMISSION DECISION of July 10, 2023
- in Canada: COMMISSION DECISION of December 20, 2000.

Should the Company intend to transfer the personal data of Data Subjects to countries outside the EU other than those mentioned above, such transfer will only take place in compliance with the conditions set forth under Articles 45/49 of the GDPR.

8. WHAT ARE YOUR RIGHTS IN RELATION TO THE PROCESSING OF YOUR PERSONAL DATA, HOW CAN YOU EXERCISE THEM AND HOW CAN YOU CONTACT US?
The Data Controller informs the Data Subject that, in accordance with the law, he/she shall at any time be entitled to withdraw his/her consent, where given, as well as to exercise the following rights (collectively, the “Rights”):
1. the “right of access” and specifically to obtain confirmation of the existence or absence of personal data concerning him/her and to have them made available in an intelligible form;
2. the “right to rectification” that is, the right to request the rectification or, if he/she has an interest, the integration of personal data;
3. the “right to erasure ” that is, the right to request the deletion, transformation into anonymous form of data processed in breach of the law, including data whose storage is not necessary in relation to the purposes for which the data were collected or subsequently processed;
4. the “right to restrict processing” that is the right to obtain from the Data Controller the restriction of processing in certain cases provided for under the Privacy Legislation;
5. the right to request the Data Controller to specify the recipients to whom he has notified any rectification or erasure or restriction of processing ( carried out pursuant to Articles 16, 17 and 18 GDPR, in fulfilment of the obligation to notify except where this proves impossible or involves a disproportionate effort);
6. the “right to data portability” that is the right to receive (or to transmit directly to another data controller) personal data in a structured, commonly used and machine-readable format;
7. the “right to object” that is the right to object, wholly or partly:
- to the processing of personal data carried out by the Data Controller for its own legitimate interest;
- to the processing of personal data by the Data Controller for marketing or profiling purposes.

In the aforementioned cases, where necessary, the Data Controller shall inform the third parties to whom the Data Subject‘s personal data are transferred of the possible exercise of their rights, except in specific cases where this is not possible or would be too burdensome and, in any case, in accordance with the provisions of the Privacy Legislation.

It is expressly understood, as provided for under Article 21 of the GDPR, that in the event of exercise of the right to object by the Data Subject, the Data Controller shall refrain from further processing the personal data unless the Data Controller demonstrates the existence of compelling legitimate grounds for processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of a right in judicial proceedings.

The Data Subject may at any time exercise his or her rights as follows:
- by e-mail, to the address: info@fastcode.it;
- by regular mail, to the address of the registered office of Fastcode S.p.A. in: Modena (MO), Strada Vignolese 1175/6, 41126.

In any event, the Company - whenever it has reasonable doubts as to the identity of the Data Subject who submits the request referred to in Articles 15 to 21 of the GDPR - may request additional information necessary to confirm the identity of the Data Subject.

Please note that the Company undertakes to respond to your request at the latest within one month following receipt of your request. This deadline may be extended depending on the complexity or number of requests, and the Company will provide you with an explanation as to the reason for the extension within one month from your request. It should also be noted that should the Data Controller fail to comply with the request, it is obliged to provide feedback to the Data Subject as to the reasons for non-compliance and the possibility of lodging a complaint with a supervisory authority or judicial review within one month following receipt of the request.

9. HOW CAN YOU LODGE A COMPLAINT BEFORE THE SUPERVISOR?
The Data Controller informs the User that, pursuant to the Privacy Legislation, he/she has the right to lodge a complaint to the competent supervisory authority (in particular in the Member State of his/her habitual residence, place of work or place of the alleged breach), if he/she considers that his/her personal data are being processed in a manner that would result in a breach of the GDPR.

In order to facilitate the exercise of the right to lodge a complaint, the name and contact details of the EU supervisory authorities are available at the following link: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

Finally, should the User wish to lodge a complaint to the competent control authority for the Italian territory (i.e. the Italian Data Protection Authority), the complaint form is available at the following link: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/4535524.

10. AMENDMENTS TO THE NOTICE
This Privacy Notice may be amended and supplemented over time. We invite Data Subjects to periodically check its contents. In any event, the Data Controller shall be responsible for duly notifying any significant changes made to this Privacy Notice.

Document updated as of 01/01/2024