According to the Regulation’s rules, the processing performed by Cerved will be based on principles of legality, fairness, transparency, purpose and storage limitation, data minimisation, accuracy, integrity and confidentiality, and the principle of accountability under Article 5 of the Regulation.
Cerved Group S.p.A., with registered office at Via Dell’Unione Europea no. 6/A-6/B, San Donato Milanese (“Cerved” or the “Controller”) commits itself to always protecting the on-line privacy of its users.
The Data Protection Officer (“DPO”) under Article 37 et seq. of the Regulation, who is based at our offices, can be contacted at the address indicated in the “Contacts” section of this notice.
The personal data being processed may be:
Identifying data. That term means personal data such as first and last name, identification numbers, data about location, online identifiers or one or more characteristic aspects that identify the data subject or make him or her identifiable, data provided when completing the “Work with Us” section of the Sites (https://company.cerved.com/en/send-curriculum) to apply for a job at Cerved. The user’s curriculum vitae could also contain personal data that falls within special categories of personal data under Article 9 of the Regulation. That category includes “[…] data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, or trade union membership, and […] genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.
During their normal operation, the IT systems and the software procedures used to make the Site functional automatically obtain certain information about web navigation, the transmission of which is implicit in the use of internet communication protocols. This information is not collected to be associated with identified data subjects but, by their nature, via associations and processing with data held by third parties, could allow identification of users or surfers. This category includes information about IP addresses, domain names of the computers used by users who connect to the Site, addresses in URI (“Uniform Resource Identifier”) notation of the resources requested, time of the request, method used to submit the request to the web server, size of the file obtained in response, numeric code indicating the status of the response given by the web server (successful, error, etc.) and other parameters relating to the user’s operating system and computer environment. These data are used solely to obtain anonymous statistical data about the use of the Sites and to make sure they are functioning properly, and to identify anomalies and/or abuses, and are deleted immediately after they are processed. The data could be used to determine liability in the event of hypothetical computer crimes that harm the Site or third parties.
It should be noted that, in relation to specific data collection forms available on the Site such as, for example, the forms relating to the receipt of newsletters, please refer, where present, to the privacy notices contained therein which provide all the detailed information regarding such treatment.
Users’ personal data will be processed for the following purposes:
3.1 allowing navigation on the Site and providing the services made available on the Sites by the Controller, including managing the Site’ security;
3.2 complying with any obligations imposed by current laws, regulations or EU laws, or complying with requests from the authorities;
3.3 allowing CVs to be received and, following analysis including candidates’ social and professional profiles, re-contacting candidates who applied using the “Work with Us” section;
3.4 allowing registration for events where such registration is possible using specific sections of the Site.
The legal basis for the personal data processing for the purposes under Section 3.1 is Article 6.1.b) of the Regulation because the processing is necessary to provide the services or respond to the data subject’s requests.
However, the legal basis for the personal data processing for the purposes under Section 3.2 is Article 6.1.c) of the Regulation (“processing is necessary for compliance with a legal obligation to which the controller is subject”). Providing the personal data for these purposes is optional, but failure to do so would make it impossible to activate the services requested.
Specifically, in regard to purpose 3.3, the legal basis under which the data contained in the CV may be processed is Article 6.1.b) of the Regulation. For additional analyses of social profiles of a professional nature that are freely made available on the Internet under Section 2.b, the legal basis for the processing is Article 6.1.f) of the Regulation, namely, Cerved’s legitimate interest in ascertaining any risks regarding a candidate’s appropriateness for serving in the specific open position.
The legal basis for the processing under Section 3.4 is Article 6.1.b) of the Regulation.
The Data may be known by the Company’s personnel authorized to process the data by reason of the performance of their work duties.
Moreover, for the above-mentioned purposes, the data may be communicated to other companies of the Cerved Group and to third parties (such as, for example, suppliers of IT and administrative services, etc.) operating on behalf of the Company as data processors by virtue of specific agreements pursuant to article 28 of the Regulations, as well as, in particular, to banks, companies operating in the insurance field, suppliers of services strictly necessary for the performance of the company’s business activity, or consultants of the company, where this proves necessary for fiscal, administrative or contractual reasons or for requirements protected by the regulations in force.
Moreover, the other companies of the Cerved Group may access the Data for the pursuit of legitimate interests for internal administrative and/or accounting purposes, pursuant to recitals 47 and 48 and article 6 of the Regulation.
Finally, the Data may be shared with authorities, bodies and/or subjects to which the Data must be communicated by virtue of legal provisions or orders of authorities. These authorities, bodies and/or subjects will operate as autonomous data controllers.
The Data will not be disseminated.
The possible transfer of data to subjects operating in third countries outside the EU or the European Economic Area may take place, subject to further information to the person concerned, only if the countries in question are considered safe by the European Commission, or adequate guarantees have been adopted on the basis of current legislation (such as, for example, the standard contractual clauses approved by the same Commission), or there are other specific conditions provided by Article 49 of the GDPR (such as the consent of the person concerned, the performance of contractual services in his favor, etc. …).
The data will be stored on paper and/or computer for the duration of the relationship and at its termination for the terms provided by the regulations in force for accounting and tax purposes, as well as in case of disputes or litigation for the prescription terms of the rights exercised in these areas. Once the aforementioned reasons for processing have ceased to exist, the Data will be cancelled, destroyed or simply kept anonymous.
In relation to the aforementioned treatments, each user, as a data subject, may exercise the rights as per articles 15 to 22 of the Regulation.
In particular, the concerned person has the right to ask the Company for access to his/her own data, and if the conditions are met, to obtain the rectification or cancellation of the same, to oppose the processing (for reasons related to his/her particular situation) or to request its limitation, as well as to obtain the portability of the data provided by the same concerned person, if processed automatically on the basis of the contract or his/her consent.
The data subject may also lodge a complaint with the Guarantor Authority for the protection of personal data, should he/she believe that the processing of his/her data is contrary to the regulations in force.
For any request to exercise the above rights or for any other matter relating to the processing of data concerning him/her, the data subject may contact the Company, as Data Controller, and/or the DPO, at the addresses indicated above.
To exercise your rights above or for any other request, you may write to the Controller at the physical address indicated above or at the dedicated contact firstname.lastname@example.org and, to contact the DPO directly, email@example.com, with the request that you put “Request to exercise privacy rights” in the message’s subject line.
Last update: 21 April 2022