Complete Information for hiring/collaboration candidates
Who are we and what do we do with your personal data?
XTN Cognitive Security S.r.l., with its registered office at Via Santa Caterina n. 95 Arco(TN)
(hereinafter referred to as the Data Controller), is committed to protecting the confidentiality of your personal data and ensuring their protection from any event that could put them at risk of violation. The Data Controller implements policies and practices regarding the collection and use of personal data, as well as the exercise of the rights recognized by applicable law. These policies and practices are updated whenever necessary, particularly in the event of regulatory or organizational changes that may affect the processing of your personal data.
The Data Controller has appointed a Data Protection Officer (DPO), whom you can contact if you have questions about the policies and practices in place. You can reach the DPO at: dpo@xtn-lab.com.
How and why does the Data Controller collect and process your personal data?
The Data Controller collects and/or receives the following information about you:
- Name, surname;
- Tax ID and VAT number;
- Place and date of birth;
- Physical and electronic addresses;
- Landline and/or mobile phone number;
- Curriculum data;
- IT data (e.g., IP addresses and data derived from the use of forms submitted on websites related to the Data Controller, such as those in the “Work with Us” section);
- Data revealing health conditions, if provided by you, including through your curriculum or if the position you are applying for is reserved for protected categories under specific legal obligations.
Your personal data will be processed for the following purposes:
1) Personnel selection and/or initiation of a collaboration
Purpose | Legal basis |
· Searching for candidates for open positions · Collecting applications and CVs, which may occur through personnel search advertisements conveyed through selection agencies, temporary agencies, universities, newspapers, magazines, specialized periodicals, or the institutional website · Examining received curricula · Organizing selective interviews · Integrating the suitable candidate into the organizational context · Establishing the employment/collaboration relationship | Carrying out pre-contractual activities
Fulfillment of specific obligations Execution of specific tasks derived from laws, regulations, or collective agreements, including corporate ones, particularly for the purposes of establishing the employment and/or collaboration relationship. |
Your data may also be collected from third parties, such as:
- Other data controllers, e.g., [examples];
- IT service providers;
- Private entities engaged in employment services, intermediation, recruitment and selection, training, and professional outplacement support activities;
- Universities.
Where applicable, the right to rectification of processed or collected data is reserved.
The data collected or otherwise obtained by the Data Controller following the selection process for available positions within its organization, except for health-related data you voluntarily provide, must be considered necessary. Failure to provide this data will result in the Data Controller being unable to:
- Evaluate your application in the personnel selection process, which the Data Controller may also carry out through its suppliers (third parties/recipients);
- Manage the candidate selection process in all its phases and the related obligations.
2) Communication to third parties and dissemination
Purpose | Legal basis |
Communication to third parties such as: · Private entities engaged in employment services, intermediation, recruitment and selection, training, and professional outplacement support activities · Universities · Information technology and IT support companies | Conducting pre-contractual activities
Fulfillment of legal and/or regulatory obligations arising from activities carried out during the selection process
|
The Data Controller does not transfer your personal data abroad (outside the EU). Your personal data will not be disseminated or disclosed to unidentified or unidentifiable subjects, not even as third parties.Communication pertains to categories of data whose transmission is necessary for executing activities and purposes pursued by the Data Controller in managing the selection process. The relevant processing does not require the consent of the data subject if carried out to fulfill obligations arising from the established relationship or if another exclusion case applies (particularly the traceability of a legitimate interest of the Data Controller), expressly provided for or dependent on the laws and regulations applied by the Data Controller, or also through third parties designated as data processors. Where the communication involves data capable of revealing health conditions, the related processing operations will be carried out with all necessary safeguards, including those that, if required based on identified risks, entail the application of pseudonymization, aggregation, and/or encryption solutions.
3) For IT security activities
Purpose | Legal basis |
| Access to the selection procedure
Compliance with legal obligations (detection and notification of data breach events)
Legitimate interest
|
How, where, and for how long are your data retained?
How
Data processing is carried out through paper-based or digital procedures by authorized individuals within the organization. These individuals are granted access to your personal data only to the extent necessary to perform the processing activities related to you.
The Data Controller periodically reviews the tools used for processing your data and the security measures in place, ensuring constant updates. The Data Controller, including through authorized processing parties, verifies that no unnecessary personal data is collected, processed, archived, or retained and that any data whose purposes have been fulfilled is no longer retained. The Data Controller also ensures that the data is kept with guarantees of integrity, authenticity, and use for the purposes of the processing activities carried out, taking into account the particular nature of these activities. These checks allow the Data Controller to assess the strict relevance, non-excessiveness, and necessity of data belonging to specific categories with respect to the selection procedure and the relationship to be established, including data provided voluntarily by you.
The Data Controller ensures that any data found to be excessive or irrelevant, even after such checks, will not be used, except for possible legal retention of the document or record containing them.
Where
Data is stored in paper, digital, and electronic archives located within the European Economic Area, with specific security measures in place.
How long
Your personal data is retained for as long as necessary to carry out the activities related to you.
In particular:
Data Type Retention Period
Identifying data, curriculum data, data revealing health status (even if voluntarily provided) | Duration of the selection procedure and in any case not beyond 2 years from collection Exceptions include:
Unless there is any legal dispute, which extends the aforementioned terms for the time necessary to pursue the relevant purpose
|
Electronic data (system and network access logs and/or IP addresses) | The duration of retention depends on the presumed and/or detected risk and the harmful consequences resulting from it, subject to measures to anonymize the data or limit its processing. In any case, the data must be retained (starting from the knowledge/detection of the risk event or data breach) for the time necessary to notify the supervisory authority of the detected data breach using the procedures implemented by the Data Controller, and in any case to remedy the situation. |
Once all the purposes that justify the retention of your personal data have been fulfilled, the Data Controller will ensure that the data is either deleted or anonymized.
What are your rights?
The rights granted to you allow you to always maintain control over your data. Your rights include:
- Access
- Rectification
- Withdrawal of consent
- Deletion
- Restriction of processing
- Objection to processing
- Data portability
In essence, you can, at any time and free of charge, without any particular burdens or formalities, exercise the following rights:
- Obtain confirmation from the Data Controller regarding the processing of your personal data.
- Access your personal data and learn about its origin (when the data was not obtained directly from you), the purposes and objectives of the processing, the entities to whom the data are communicated, the retention period of your data, or the criteria used to determine it.
- Update or rectify your personal data to ensure it is always accurate and correct.
- Withdraw consent at any time if consent is the basis for processing. However, the withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.
- Delete your personal data from databases and/or archives, including backups, when it is no longer necessary for the purposes of processing or if the processing is deemed unlawful. This applies if the conditions prescribed by law are met, and in any case, if the processing is not justified by another equally legitimate reason.
- Restrict the processing of your personal data in certain circumstances, such as when you contest its accuracy, for the time necessary for the Data Controller to verify its accuracy. You must be informed in a timely manner when the suspension period ends or when the reason for the limitation of processing ceases, and the limitation is therefore lifted.
- Obtain your personal data, if the processing is based on a contract and carried out by automated means, in an electronic format, so that it can be transmitted to another data controller.
The Data Controller must proceed accordingly without delay and, in any case, within one month of receiving your request. This deadline can be extended by two months if necessary, taking into account the complexity and number of requests received. In such cases, the Data Controller will inform you within one month of receiving your request and provide you with the reasons for the extension.
For further information or to submit your request, please contact: dpo@xtn-lab.com.
How and when can you object to the processing of your personal data?
For reasons related to your specific situation, you can object at any time to the processing of your personal data if it is based on legitimate interest, by sending your request to: dpo@xtn_lab.com .
You have the right to have your personal data deleted if there is no overriding legitimate reason for the processing that justifies its continuation.
To whom can you file a complaint?
Without prejudice to any other administrative or judicial actions, you can file a complaint with the Data Protection Authority. If you reside or work in another Member State, or if the violation of data protection laws occurs in another EU country, the competent authority to receive and address the complaint will be the supervisory authority established in that country.
