PRIVACY NOTICE FOR CANDIDATES PURSUANT TO ARTICLE 13 OF EU REGULATION 2016/679

In accordance with EU Regulation 2016/679 (General Data Protection Regulation, “GDPR”), we hereby provide the necessary information regarding the processing of the personal data supplied by the data subject. This notice is provided  pursuant to, and for the purposes set out in, Article 13 of EU Regulation 2016/679 (GDPR).

1. DATA CONTROLLERS

Pursuant to Articles 4 and 24 of EU Regulation 2016/679, the data controllers are the following companies of the Symphonie Group (collectively, the “Controllers”):

• Hoverture Italia S.r.l., with registered office in Rome (Italy), VAT No. IT 07222631009;

• Hoverture Europe AG, with registered office in Munich (Germany), VAT No. DE 328888048;

• Rapsodoo Italia S.r.l., with registered office in Rome (Italy), VAT No. IT 14783221006;

• Symphonie Partners S.r.l., with registered office in Rome (Italy), VAT No. IT 15748651005;

• Ydea Studio S.r.l., with registered office in Rome (Italy), VAT No. IT 12282441000;

• Rapsodoo Iberia S.L., with registered office in Madrid (Spain), Tax ID No. ES B85444008;

• Seedble S.r.l., with registered office in Rome (Italy), VAT No. IT 12976701008;

• Bit2win S.r.l., with registered office in Rome (Italy), VAT No. IT 11386070962;

• Diapason Prime S.r.l., with registered office in Rome (Italy), VAT No. IT 15719861005;

• IFS Italia S.r.l., with registered office in Rome (Italy), VAT No. IT 05320991002.

The Symphonie Group companies listed above act, pursuant to Article 26 GDPR, as joint controllers of candidates’ personal data. An internal joint controllership agreement has been executed to transparently define their respective roles and responsibilities, in particular with regard to the exercise of data subjects’ rights and related information obligations.

2. PERSONAL DATA SUBJECT TO PROCESSING  

The Controllers process identifying personal data provided by the data subject during recruiting events, via the website (e.g., when submitting an application), or in the context of the Controllers’ business activities and participation in them (e.g., during events or projects connected to the Company’s activities). Specifically, the following categories of Personal Data may be processed:

• Ordinary personal data (e.g., personal details, contact information, professional and life experience, citizenship, date and place of birth).

• Special categories of personal data (e.g., possible membership of protected categories), where such information is voluntarily included by the candidate in their CV or other documentation submitted.

During the selection process, additional Personal Data may be collected through interviews and tests (e.g., technical or language assessments). Photographs or images of the data subjects may also occasionally be processed, in the forms and within the limits described in the sections below.

3. PURPOSES AND LAWFULNESS OF PROCESSING  

a. Legal purposes — Processing necessary for compliance with a legal obligation to which the Controller is subject (Art. 6(1)(c) GDPR).

Personal Data may be processed where necessary to fulfill obligations arising from provisions of civil and tax law, EU legislation, as well as rules, codes or procedures approved by competent Authorities and other Institutions. Personal Data may also be processed in order to comply with requests from the competent administrative or judicial authority and, more generally, from public bodies in accordance with legal formalities.

Processing of Personal Data is necessary for carrying out recruiting activities for positions at the Controllers’ companies. Failure to provide the data will make it impossible for the Controller to proceed with the selection of the application at all stages of the recruitment process.

b. Recruitment and selection purposes — Measures taken at the request of the data subject and for the performance of pre-contractual measures (Art. 6(1)(b) GDPR).   

Personal Data will be processed for:

1. creating a user profile within the company database;

2. carrying out recruitment and selection activities;

3. fulfilling contractual, pre-contractual, tax and legal obligations, and for administrative and accounting purposes.

In this context, Personal Data may also be used to send organisational communications relating to the selection or related activities (for example, emails about outcomes, information regarding interview recordings, etc.).

Any Special Categories of Personal Data will be processed to fulfil obligations and exercise specific rights of the Controllers and the data subject in the field of employment and social security and social protection law (Art. 9(2)(b) GDPR).

Processing is necessary for operational or pre-contractual reasons. Failure to provide the data will make it impossible for the Controller to proceed with the selection of the application at all stages of the recruitment process.

c. Purposes based on the Controllers’ Legitimate Interests (Art. 6(1)(f) GDPR)

The Controllers may process the candidate’s Personal Data in the following cases:

1. in the event of extraordinary transactions such as a merger, sale or transfer of a business unit, in order to carry out the activities required for due diligence and those preparatory to the sale or transfer. Only the Personal Data strictly necessary for these purposes will be processed, in the most aggregated and/or anonymous form possible;

2. whenever necessary to establish, exercise or defend a right of the Controllers or other Group companies in judicial proceedings;

3. for the anonymous and aggregated analysis of recruitment and selection procedures, in order to improve such processes.

The processing referred to under points 1. and 2. is necessary for operational or defensive reasons; failure to provide the data will make it impossible for the Controllers to proceed with the selection of the application.

d. Purposes requiring the data subject’s consent (Art. 6(1)(a) GDPR)

For any purpose not strictly connected to those set out under points a), b) and c), Personal Data will be processed only after obtaining the data subject’s explicit consent, which is optional and may be withdrawn at any time.

In particular, subject to consent, the Controllers may process Personal Data for the following purposes:

1. sending informational communications (e.g., newsletters) concerning future open positions, recruitment events, projects or other initiatives promoted by the Controllers;

2. responding to contact or information requests received via the website or other official Group communication channels;

3. publishing images and/or videos (e.g., taken during events, projects, initiatives) on websites, social networks or printed materials (e.g., brochures, posters) in order to promote the Controllers’ initiatives

4. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE DATA

Personal Data are processed by personnel expressly authorised by the Controllers, in accordance with Article 29 of Regulation (EU) 2016/679, acting on documented instructions and for the purposes set out in section 3.

For the above purposes, Personal Data may be disclosed to third parties belonging to the following categories:

1. providers of IT and technology services, including maintenance of the Group’s platforms and information systems;

2. companies specialising in personnel selection or the management of recruiting processes on behalf of the Controllers;

3. professional firms or consultancy companies for legal, employment law or organisational matters;

4. training bodies or universities involved in training programmes or collaborative projects connected to the Controllers’ activities;

5. subsidiaries, affiliates or companies directly or indirectly owned by the Controllers;

6. competent authorities (for example law enforcement bodies, public entities or judicial authorities), in order to comply with obligations laid down by law, regulations or EU legislation.

All of the above recipients will process Personal Data as:

1. processors pursuant to Article 28 GDPR, if formally appointed and bound by specific instructions;

2. persons authorised to process data acting under the direct authority of the Controllers or the Processor;

3. independent controllers, where they act with full autonomy as to the purposes and means of processing.

Any disclosure will always comply with the principle of data minimisation, limiting the Personal Data shared to those strictly necessary to achieve the specific purposes.

Under no circumstances will Personal Data be disseminated to the public, unless required by a specific legal obligation.

5. TRANSFER OF DATA TO A THIRD COUNTRY AND/OR INTERNATIONAL ORGANISATIONS 

The personal data provided by the data subject will not be transferred outside the European Union.

If certain processing activities require the transfer of the data subject’s personal data outside the European Union or the European Economic Area (EEA), such transfers will take place only on the basis of an adequacy decision of the European Commission or, in the absence of an adequacy decision, in accordance with the Standard Contractual Clauses approved by the European Commission and with appropriate safeguards adopted under the GDPR and applicable data protection laws.

6. METHODS OF PROCESSING

Processing of the data subject’s Personal Data is carried out by means of the operations indicated in Article 4(2) of EU Regulation 2016/679, namely: collection, recording, organisation, storage, consultation, processing, alteration, retrieval, comparison, use, interconnection, restriction, disclosure, erasure and destruction. Personal Data are processed in both paper-based and electronic form. Processing will be performed with full respect for confidentiality requirements and with the most appropriate security measures, as provided for by applicable legislation and in line with technological progress.

Processing does not involve automated decision-making or profiling within the meaning of Article 22 GDPR.

7. DATA RETENTION PERIOD 

In accordance with the storage limitation principle set out in Article 5(1)(e) of Regulation (EU) 2016/679 (GDPR), Personal Data will be kept in a form that permits identification of the data subject for no longer than is necessary for the purposes for which the data were collected. 

In particular:

1. candidates’ data will be retained for the entire duration of the selection process and, subsequently, for a maximum of 24 months from the date of collection or last update, in order to allow assessment for future professional opportunities;

2. where, following submission of the application, a selection process is initiated, the data may be retained for up to 5 years from the conclusion of the selection process, if it does not result in employment;

3. contact and identification data provided, where applicable, to receive communications about new open positions will be retained for 2 years from the date specific consent is given.

At the end of the above periods, Personal Data will be deleted or anonymised, unless an employment relationship is established or there are statutory obligations requiring further retention.

8. NATURE OF THE PROVISION OF DATA AND CONSEQUENCES OF REFUSAL

The provision of personal data for the purposes referred to in section 3, letters a), b) and c) of this notice is necessary for carrying out recruiting activities. Failure to provide such data may make it impossible to complete the application or to participate in the selection process.

The provision of personal data for the purpose referred to in section 3, letter d) is optional. Failure to provide such data will not affect or prejudice participation in, or the conduct of, the selection process.

9. DATA SUBJECTS RIGHTS

Where applicable and within the limits of the GDPR, data subjects have the right to:

1. obtain from the Controller confirmation as to whether or not processing of Personal Data concerning them is taking place and, where that is the case, to access the information listed in Article 15 GDPR;

2. obtain the rectification of inaccurate Personal Data concerning them or, taking into account the purposes of the processing, the completion of incomplete Personal Data pursuant to Article 16 GDPR;

3. obtain the erasure of Personal Data where one of the grounds set out in Article 17 GDPR applies;

4. obtain restriction of processing in the cases provided for by Article 18 GDPR;

5. receive the Personal Data they have provided to the Controller in a structured, commonly used and machine-readable format and have those data transmitted to another controller without hindrance, pursuant to Article 20 GDPR;

6. object to the processing of their Personal Data on grounds relating to their particular situation, unless there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, pursuant to Article 21 GDPR;

7. withdraw the consent given.

Data subjects may exercise the rights listed above by writing to the Controller to whom they submitted their application or by emailing: privacy@symphoniepartners.com.

Without prejudice to any other administrative or judicial remedy, data subjects also have the right to lodge a complaint with the competent supervisory authority if they consider that their rights regarding the protection of Personal Data have been infringed. In Italy, the competent authority is the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali).

10. UPDATES AND AMENDMENTS 

The Controller reserves the right to amend, supplement or periodically update this Privacy Notice in compliance with applicable law or with measures issued by the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali). Any such amendments or additions will be communicated to data subjects.