Regarding applicants to employment positions, other labor relations or collaborations

For us, personal data protection is a serious subject, so we would like to inform you about the way in which your data is processed and the rights you can exercise under current data protection legislation, in particular the EU Regulation 2016/679 (hereinafter also referred to as “GDPR”).

1. Data Controller and DPO
   

   Data Controller Tamburi Investment Partners S.p.A. Registered Office: Via Pontaccio 10 20121 Milano (MI) Phone: 02.8858801 E-mail:TIP@tamburi.it

   Data Protection Officer’s (DPO) contacts: Avv. Vera Cantoni Registered Office for the role: Via Turati 26, 20121 Milano (MI) Phone: 02.70039991 E-mail: dpo@tamburi.it

2. Categories of processed personal dataCategories of personal data (ex-art. 4.1 of the GDPR) processed by the Data Controller can be, as a non-exhaustive example:- Identification data (e.g., name, date of birth, place of birth, social security number, marital status, profession, etc.);

   – Contact Data (e.g., address, e-mail address, telephone number, etc.);

   – Data regarding education and professional and job-related experiences;

   – With reference to the fulfilment of legal obligations provided for in relation to the elimination of violence and harassment in the workplace (referred to, in general, as the Anti-harassment’ legislation): identification, personal and contact data, as well as other non-particular data acquired as a result of the reports (by way of example but not limited to, information on the reporting person’s work activity and relations with the persons involved, etc.), as well as any special category of personal data (e.g. health data, data on sexual orientation and gender identity), contained in the reports or acquired as part of the reporting management procedure, if the reporters turn out to be victims of the above-mentioned harassment.

3. Purposes and legal basis for data processing– Purpose based upon a legal obligation (ex-art. 6 paragraph 1 (c) of the GDPR)

   – Management of the Anti-harassment reporting channel provided for in Law No. 4/2021 (hereinafter also referred to as the ‘Law’ or ‘Anti-harassment legislation’) and the ‘Procedure for the management of reports of violence or harassment in the workplace’ and, in any event, the fulfilment of the obligations provided for in Law No. 4 of 2021 and, more generally, in the current legislation on the elimination of violence and harassment in the workplace (referred to, in general, as the ‘Anti-harassment’ legislation).

   The retention period of personal data for the purposes set out in this section is:

   For the purpose a: for as long as necessary for the processing of the report and in any case up to 5 years from the date of the conclusion of the processing of the report, i.e. within the prescriptive periods relating to civil liability actions, which could be longer in the case of any offences with a longer statute of limitations, as well as, in the case of disciplinary proceedings, 10 years from the imposition of any sanction, and, in the case of any litigation, for the corresponding duration (until the related judgments become final).

   – Purposes based upon the performance of a contract or for precontractual measures (ex-art. 6 paragraph 1 (b) of the GDPR)

   The purpose based upon the performing of precontractual measures is:

   – Management of the selection processes regarding one or more vacant positions, in order to establish a job contract (including, a non-exhaustive example, evaluating and selecting one or more subjects to cover the aforementioned positions and the collecting of more information necessary to the employ the subjects and to draft the specific contract).

   The retention period for personal data, in regard to the above purpose is:

   For purpose a: 24 months from the data’s collection, safe for the eventual employment of the subject (in such case the retention period will follow the specific retention periods as listed or necessary in regard to the single specific employment relationship which will be listed in their own specific privacy policies).

   – Purpose based upon the data subject’s consent (ex-art. 6, paragraph 1 (a) of the GDPR)

   The purpose that requires consent is:

   – Management of the CV’s selection and evaluation process in its upmost general meaning (regarding personal data not connected to the performing precontractual measures).

   The retention period for personal data, in regard to the above purpose is:

   For purpose a: 24 months from the consent’s acquisition.

4. Recipients or categories of recipients of personal data * (ex-art. 13 paragraph 1 (e) of the GDPR)In relation to the above listed purposes, the Data Controller could communicate personal data to:- Internal offices and authorized personnel;

   – Surveillance and control bodies;

   – Companies and professionals in the field of IT services;

   – Accounting companies/ employment consultants, professional firms in general (lawyers, accountants, etc.), in case of the eventual start of an employment relationship;

   – Consultancy companies in the field of recruitment;

   With reference to the fulfilment of legal obligations provided for on the subject of the elimination of violence and harassment in the workplace (the ‘Anti-harassment’ legislation referred to above)

   – the person(s) holding the title of ‘Anti-harassment Reporting Channel Manager’ (regardless of whether it is a person external or internal to the Data Controller’s organization)

   – the offices that may be involved for the purpose of the adoption of appropriate measures or steps by the Data Controller itself, should it be necessary to disclose their identity for the purpose of carrying out related corporate proceedings;

   – companies and professional operators providing IT services (who perform technical maintenance of the IT reporting channel);

   – the Data Controller’s control and supervisory bodies, should it be necessary for the performance of their control tasks;

   – any law firms and their supporting technical consultants, if the follow-up to the report entails the commencement of disciplinary or judicial proceedings, where it is necessary to disclose their identity in order to conduct such proceedings;

   – judicial authorities and/or public supervisory authorities, as well as other public administrations and public authorities;

   – with the consent of the reporting person, within the framework of conciliation meetings or within the framework of disciplinary proceedings, if, in the latter case, it is indispensable for the defense of the reported persons.

   * More information regarding recipients (ex-art. 4.9 of the GDPR) are available by contacting the Data Controller through the addresses listed above.

5. Recipients or categories of recipients of the personal (pursuant of art. 13 paragraph 1(f) of the GDPR) e data transfer outside the EUThe Data Controller does not have the intention to transfer Your data in States which are not member of the EU or the EEA for the above listed purposes.
6. Data Subject’s rights (ex-art. 13 par. 2 (b) of the GDPR)The data subject can exercise the following rights, in relation to personal data mentioned in this privacy policy, as stated by the GDPR:- Right of access by the data subject [art. 15 of EU Regulation] (possibility to be informed on the treatments carried out on his personal data and, if necessary, receive a copy of them);

   – Right to rectification [art. 16 of EU Regulation] (data subject has the right to rectify incorrect data concerning him);

   – Right to erasure without unjustified delay (“right to be forgotten”) [art. 17 of EU Regulation] (data subject has the right to delete his personal data);

   – Right to restriction of processing, as provided by article 18 of EU Regulation, among the other cases, in case of illicit processing or contestation of the accuracy of personal data by the data subject [art. 18 of EU Regulation];

   – Right to data portability [art.20 of EU Regulation], (data subject has the right to receive the personal data concerning him/her, which he/she or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as provided by the same article);

   – Right to object to processing [art. 21 of EU Regulation] (the data subject has the right to object processing of personal data as provided by article 21 of EU Regulation);

   – Right to not be subject to automated individual decision-making [art. 22 of EU Regulation] (The data subject shall have the right not to be subject to a decision based solely on automated processing).

   With reference to the fulfilment of legal obligations provided for in connection with the elimination of violence and harassment in the workplace (referred to, in general, as the ‘Anti-harassment’ legislation referred to above), it is specified that the above-mentioned rights may not be exercised if their exercise may result in an actual and concrete prejudice to the confidentiality of the identity of the reporting persons, in cases where the Data Controller or the Manager of the anti-harassment reporting channel deems it appropriate to protect such confidentiality or in cases where one of the hypotheses set out in Article 2 undecies para. 1 of the Privacy Code or if such rights are in conflict with the obligations of the Data Controller with regard to the fulfilments of the aforementioned ‘Anti-harassment’ legislation.

   More information regarding the data subject’s rights can be obtained on the company’s website or by requesting the full excerpt of the above listed articles to the Data Controller.

   Regarding the purposes which require consent, the data subject can revoke it at any time and the revocation’s effect will start from the moment of revocation, safe for timeframes established by law. In general, the consent’s revocation will affect only future processing.

   The above-mentioned rights can be exercised as established by the Regulation also by sending an e-mail to the following address: TIP@tamburi.it

   Pursuant of art. 19 of the EU Regulation, the Data Controller will proceed to inform the recipients to whom personal data have been communicated, about eventual correction, cancellations or limitations of the data processing whenever it is possible to do so.

   To grant a faster response to Your requests to exercise the above listed rights, the requests can be sent to the Controller at the addresses listed in section 1.

7. Right to lodge a complaint (ex-art. 13 par. 2 (d) of the GDPR)If the data subject considers that his/her right has been compromised, he/she has the right to lodge a complaint to the supervisory authority (or Data protection Supervisor), according to the methods indicated by the same authority.If you are Italian, you can refer to the following link: http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4535524 or by lodging a complaint by mail to the Italian Authority for the Protection of Personal Data.
8. Potential consequences of failure to provide personal data and nature of the providing of data (art. 13 paragraph 2 (e) of the GDPR)– In case of compliance with a legal obligation to which the Data Controller is subjected to or for performing a contractIt must be known that when the purpose has, as a legal basis, a legal obligation or a contractual one (or even a precontractual one), the data subject must necessarily provide the required personal data.

   On the contrary, it will be impossible for the Controller to proceed with the specific personal data processing purposes.

   In particular, with reference to the above-mentioned purpose connected with the fulfilment of legal obligations provided for in the matter of the elimination of violence and harassment in the workplace (referred to, in general, as the ‘Anti-Harassment’ legislation mentioned above), unlike other processing purposes that have a legal obligation as their legal basis, the data subject provides his/her personal data freely and voluntarily.

   Therefore, with regard to the above-mentioned processing, it is specified that the provision of personal data will be free, optional and voluntary, following a spontaneous initiative by the Data Subject, although such provision of data remains necessary in order for the Data Controller to proceed with the management of any reports and to be able to fulfil the related legal obligations to which it is subject. Therefore, the Data Subject is also informed that after sending the report and the related provision of data, he/she will not be able to withdraw such provision and/or request the deletion of the related data communicated (with the exception of possible requests for the deletion of data, which may be kept beyond the retention period indicated above for purpose 3.1. letter a). For the sake of completeness, we inform you that only the managers or recipients of the reports have the prerogative of assessing as irrelevant or erroneous the data provided in the framework of the reports, and that this prerogative does not belong to the reporter, with the consequences of the case on the exercise of the right to erasure. The reporting person may however provide the information and remarks that he/she deems appropriate in order to detect the aforementioned errors and/or to contribute to the aforementioned findings

   – In case of the data subject’s consent

   We inform you that the above-mentioned purposes have as lawful base the consent, and that in relation to such purposes, the data subject can revoke his/her consent at any time, and that the revocation’s effects will affect only from the time of revocation, safe for conservation periods established by law. Generally, the revocation of consent will only affect future processing. Thus, the processing which has been performed before the consent’s revocation will not be affected and will maintain its lawfulness.

   When data is no longer needed, it will be deleted. If its deletion is impossible or only possible with a disproportionate effort due to a particular storage method, the data cannot be processed and must be stored in inaccessible areas.

9. Presence of an automated decision-making process (included profiling activity)The use of a purely automated decision-making processes as detailed by Article 22 of the GDPR is currently excluded. Should it be decided in the future to establish such processes on a case-by-case basis, the data subject will be notified separately if this is required by law or if this information notice is updated.
10. Methods of data processingPersonal data will be processed both in analog and electronic format and entered in the applicable data bases which can be consulted and processed by operators and processors designated by the Data Controller who will be able to carry out the consultation, use, handling, comparison and any other appropriate operation, direct or automatic, respecting the legal requirements necessary to guarantee the confidentiality and the security of the data, as well as their accuracy, updating, and their relevancy to the declared purposes.We inform you that with particular reference to the above-mentioned purpose, connected to the fulfilment of legal obligations provided for on the subject of the elimination of violence and harassment in the workplace (referred to, in general, as the “Anti-Harassment’ legislation referred to above), the personal data will be processed mainly, if not exclusively, in computerized and telematic form and stored in the specific area of the platform for the management of reports, which can be accessed, and therefore become known, only by the persons appointed for the management of reports, expressly designated by the Data Controller as Data Processors of or as Authorized Personnel to process personal data, who may exceptionally process the data, if deemed appropriate by such persons, also on electronic removable devices or paper-based means (with the specific measures envisaged by the Data Controller), without prejudice to the use of further necessary media (used by the Data Controller and its law firms) in the event of disciplinary proceedings and litigation. These subjects may carry out consultation, use, processing, comparison and any other appropriate operation, including automated operations, in compliance with the provisions of the law necessary to ensure, inter alia, the confidentiality and security of the data as well as the accuracy, updating and relevance of the data with respect to the stated purposes

11. Changes and updates

    The Data Controller can also change and/or amend this privacy policy also as a consequence of eventual and subsequent changes and/or amendments following new regulations.