Privacy policy

As candidates in a recruitment process, we would like to inform you on the personal data processing procedures according to European Regulation no. 2016/679 (hereinafter “GDPR”) and Italian Legislative Decree no. 196 dated June 30, 2013 and subsequent integrations and/or modifications.

1. The Identity of the Data Controller
   The Data Controller is IRBM S.p.A (hereinafter “IRBM”) located in Pomezia (RM) – Via Pontina Km 30.600.
2. The Contact Details of the Data Controller
   The Data Controller can be contacted at the following email address: privacyirbmgroup@irbm.com
3. Legal Basis and Purposes for the Processing of Data
   The legal basis that justifies the processing of data is represented by the explicit consent of the interested party as well as by the possibility of executing contractual, pre-contractual and legal obligations for the purpose of personnel recruitment and the possible establishment of an employment relationship.Personal data are those provided voluntarily by the candidate when submitting the application via the website of the Data Controller, when sending the curriculum vitae and/or during the evaluation interviews and will be processed for personnel recruitment purposes.

   More precisely, we may collect:

   • Personal data (such as name, place and date of birth)
   • Telephone and e-mail addresses
   • Previous work experience
   • School degrees and qualifications obtained.The processing may also concern particular categories of personal data, pursuant to Article 9 of the GDPR, such as health data that are strictly necessary for the hiring or referring to the belonging of the candidate to certain protected categories of data subjects.The submission of personal data is optional. Nevertheless, the eventual lack of consent to submit such data, in whole or in part, and the consent to their processing, determines the impossibility to proceed with the verification of the hiring requirements and/or collaboration conditions and, therefore, to start a working relationship with the Data Controller.
4. Data Processing Procedures
   Personal data is processed in accordance with the principles of integrity, lawfulness, transparency, and when appropriate and not with excess. The same is also processed in a safe manner and protected through the application of suitable technical and organizational measures.Data is processed through the use of tools and procedures deemed capable of ensuring safety and privacy, and may be processed in paper format or with the support of electronic tools.

   We would like to highlight that when processing such data, we strictly adhere to the limits and the conditions set forth by existing legislation, as well as to the requirements mandated by the Italian Data Protection Authority related to the processing of personal data. Data processing is performed so as to guarantee the confidentiality of information, and through the application of the measures set forth in Article 32 of the Regulation, in order to preserve the integrity of the information being processed and to prevent access to the same by non-authorized subjects.

5. Location of Data Processing
   Data obtained is stored in a database, in an automated archive and/or in paper format at the offices of IRBM and/or in a database, in an automated archive, and/or in paper format at the data centers of professionals and/or companies appointed as external data processors that are responsible for the storage of data on behalf of the Data Controller, and for the purposes indicated within this notice.
6. Personal Data retention period
   The data will be processed and stored for the entire duration of the recruitment process except in case of starting an employment and/or collaboration relationship.
7. Communication or dissemination of Personal Data
   The personal data provided will not be disseminated, however the same may be communicated and/or made available solely to specific subjects, or rather individuals and/or legal persons, public and/or private, should the communication be necessary or practical for the purposes set forth within this notice. Examples include but are not limited to:
   • Data Controller employees and collaborators in their capacity of authorized persons or internal and/or external data processors and/or system administrators, in the context of their relative tasks and/or assignments;
   • Third parties or other subjects who carry out activities on behalf of the Data Controller, in their capacity as external Data Processors (by way of example: qualified subjects who provide the Data Controller with services instrumental to the management of the recruitment process such as e.g. labor consultants; recruiting companies; consultants who assist the Data Controller with particular reference to legal, tax, social security, accounting, organizational aspects);
   • Employees and collaborators of the IRBM Group in their capacity of external processors of data;
   • Subjects, public and/or private, that can access data based on legal provisions, regulations, or EU legislation, within the limits set forth by said regulations.

   The information collected and processed can be communicated, for the mentioned purposes indicated in this notice, to the other companies of the IRBM Group. The personal data shall not be transferred outside the European Economic Area.

8. Data Subjects’ Rights
   It is possible to contact the Data Controller to enforce one’s rights as set forth by Articles 12 and 13 of the European Regulation. In particular, the data subject can exercise the right to (i) access one’s data, (ii) request the rectification of the same, (iii) request the cancellation of the same (“right to be forgotten”), (iv) request that only a certain part of the data pertaining to the individual is processed, (v) should it be technically possible, to receive in a structured format or to have access to the information pertaining to the same (also referred to as the “portability” of the information regarding the individual and the information that has been voluntarily shared), (vi) to revoke one’s consent at any time, should this constitute the basis for the processing of data. Revoking one’s consent does not prejudice the lawfulness of the data processing, based on the consent provided before. You can, at any time, exercise any of the above rights by sending a communication at one of the following addresses:
   • IRBM S.p.A., Via Pontina km. 30.600, 00071 Pomezia (RM);
   • email: privacyirbmgroup@irbm.com

Furthermore, IRBM reminds you that, as the data subject, you can contact and lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it) by following the procedures set forth by the European Regulation.

Extract of Regulation UE 2016/679

ARTICLE 15 – Right of access by the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information.

ARTICLE 16 – Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

ARTICLE 17 – Right to erasure (‘right to be forgotten’)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.

ARTICLE 18 – Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

4. the data subject has objected to processing pursuant to Article 21 (par. 1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

ARTICLE 20 -Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

ARTICLE 21 – Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (par. 1), including profiling based on those provisions.

ARTICLE 22 – Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.