Candidate Policy
Privacy Notice for the Processing of Personal Data of Candidates pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”)1
1. Contact Details of the Data Controller and Data Protection Officer
| Data Controller | Data Protection Officer (DPO) |
|---|---|
| Pirate Rocket S.r.l. (P.IVA 02644170033), with registered office at 20125, Milan, Via Giovanni Battista Sammartini, 33, email address [email protected], hereinafter referred to as the “Controller” | [email protected] |
2. Categories of Data Processed and Data Source
2.1 The data include, by way of example and not exhaustively, name, surname, place and date of birth, tax code, address, gender, telephone contacts, educational qualifications, work experiences, and any additional data you have entered in the CV and/or in the application form available on the website www.piraterocket.com.
2.2 We also inform you that the Controller may process "special categories of data" pursuant to Article 9 of the GDPR, where necessary under Article 9(2)(b) of the GDPR, such as data suitable for revealing health status and/or membership of protected categories, possibly contained in the CV or in any additional documentation transmitted to the Company. Special Categories of Data may be processed, by way of example and not exhaustively, to evaluate applications for positions falling within the scope of targeted recruitment. In the absence of such cases and in the absence of the conditions set forth in Article 9 of the GDPR, such data will not be taken into consideration.
2.3 The aforementioned data are collected directly from you as the data subject and/or from publicly accessible sources such as your professional profile within professional social networks (within the limits set out in this notice).
3. Purposes of Processing, Legal Bases, and Retention Periods
| Why are your data being processed? | What is the condition that makes the Processing lawful? | For how long do we retain your data? |
|---|---|---|
| 1. For purposes connected or instrumental to the carrying out of the candidate search and selection activity in relation to all positions managed by the Controller and the companies belonging to the Group (Joint Controllers). | 1. Consent of the data subject (Art. 6(1)(a) GDPR); 2. Legitimate interest of the Company (Art. 6(1)(f) GDPR); 3. Performance of re-contractual measures taken at your request (Art. 6(1)(b) GDPR). | For ten years from the last activity carried out, unless the data subject requests deletion at any time. |
| 2. For purposes related to processing publicly available information concerning your profile on professional social networks to verify that the data provided by you correspond to what you have declared, limited solely to professional information necessary for the purpose of evaluating specific risks associated with the type of activity to be performed based on the sought-after profile, adopting all necessary measures to ensure the correct balance of your interests, rights, and fundamental freedoms with our legitimate interest. | Legitimate interest of the Company (Art. 6(1)(f) GDPR). | For ten years from the last activity carried out, unless the data subject requests deletion at any time. |
| 3. To ascertain, exercise, or defend the rights of the Controller out-of-court and/or in judicial proceedings. | Legitimate interest of the Company (Art. 6(1)(f) GDPR). | For ten years from the last activity carried out, unless the data subject requests deletion at any time. |
Upon expiration of the aforementioned retention periods, all data will be either destroyed or anonymized, in accordance with the technical procedures for deletion and backup.
1 Note: The information pursuant to Article 14 of the GDPR may be used in case of data collection from third parties.
4. Mandatory Provision of Data
4.1 The provision of data is mandatory for the personnel search and selection activity as well as to avail of the services offered by the Company. Refusal to provide the data will prevent the Controller from carrying out such activities and will not allow your candidacy to be considered.
4.2 The provision of data for the purposes outlined in point 2 above is optional.
5. Categories of Data Recipients
5.1 Data may be disclosed to entities acting as independent data controllers (including companies within the Controller's Group, professionals, public entities, supervisory or auditing bodies), also to comply with legal obligations, or processed on behalf of the Controller by designated data processors who are provided with appropriate operational instructions.
6. Authorized Data Processors
6.1 Data may be processed by employees of the company functions or third parties assigned to pursue the aforementioned purposes, who have been expressly authorized for processing and have received adequate operational instructions.
7. Transfer of Data Abroad
7.1 Personal data are stored in computerized archives located both within the European Union and outside it if this is instrumental to achieving the purposes indicated in point a). In the latter case, the Controller ensures that companies outside the European Union are processing personal data with the utmost confidentiality in compliance with the European Commission's adequacy decisions or, if necessary, by entering into agreements ensuring an adequate level of protection.
8. Data Subject Rights
8.1 You may request from the Controller access to the data concerning you, their rectification or erasure, the restriction of processing in cases provided for by Article 18 of the GDPR; to receive the data concerning you in a structured, commonly used, and machine-readable format, and, if technically feasible, to transmit them to another controller without hindrance where the conditions for the exercise of the right to data portability under Article 20 of the GDPR are met (the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR).
8.2 For proper handling of the request, the Controller may request further specifications from the Data Subject. The Controller will process the request within 30 days of receiving it; if this deadline cannot be met, it is the responsibility of the Controller to inform the Data Subject and keep them updated on the progress of the communication sent.
8.3 These rights can be exercised by writing to [email protected] and/or [email protected].