PRIVACY STATEMENT PURSUANT TO ART. 13 OF EU GENERAL DATA PROTECTION REGULATION 2016/679 (GDPR)
Pursuant to art. 13 of EU Regulation 2016/679 (“GDPR”) the following are data controllers for staff selection processes carried out with the Inrecruiting platform, each solely with reference to personal data within their competence:
- ISTITUTO MEDITERRANEO PER I TRAPIANTI E TERAPIE AD ALTA SPECIALIZZAZIONE S.r.l., in the person of its director Angelo Luca, vested with the necessary powers under resolution of the Board of Directors dated 6 April 2016 and with power of attorney certified by Notary Public Du Chaliot of 25 July 2016, with registered office in Palermo, Discesa dei Giudici 4, fiscal code, VAT number, and enrollment in the Register of companies of Palermo n. 04544550827;
- .UPMC ITALY S.r.l.,in the person of the chairman of its board of directors, Giuseppe Dell’Acqua, with registered office in Palermo, Discesa dei Giudici 4, fiscal code, VAT number, and enrollment in the Register of companies of Palermo n. 04532690825, in the capacity of joint controller for personal data processing carried out at ISMETT, and data controller for personal data processing of UPMC ITALY, the Italian subsidiary of the UPMC Group in Pittsburgh (U.S.A.);
- SALVATOR MUNDI INTERNATIONAL HOSPITAL S.r.l., in the person the chairman of its board of directors, Giuseppe Dell’Acqua, with registered office in Rome, Viale delle Mura Gianicolensi 67, fiscal code, VAT number, and enrollment in the Register of companies of Rome n. 09023871008.
Personal data included in your CV and any other information obtained during the selection (e.g., certifications, documents, and application form) will be processed for the sole purpose of assessing your possible collaboration with, or hiring by ISMETT, UPMCI or SMIH, depending on which of the companies will act as employer or on the subject with whom you will enter a working relationship.
Data will be processed using electronic tools and hard copy forms with appropriate modalities that guarantee their safety and confidentiality, thus complying with the provisions of the GDPR. The legal basis of your data processing is described in art. 6.1(b) of the GDPR ("processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract").
Your data are mandatory to evaluate your application, therefore failure to provide them may preclude this evaluation. Your CV should only contain data necessary to assess your professional profile, and should not include information defined by the GDPR as "special categories of personal data" (e.g., information on your health, political opinions, trade union membership) that require your explicit consent as legal basis for their processing under art. 9.2(a) of the GDPR, "explicit consent of the data subject to processing"). Therefore, should you require it is necessary to provide special categories of personal data , please tick the box below. If you wish to provide special categories of personal data, you may do so only with the consent provided ticking the appropriate box in the application form. The legal basis for this processing is art. 6.1(a) in connection with art. 9.2(a) of the GDPR (data subject consent).
Should no consent be provided, the special categories of data included in the CV (e.g., inclusion in protected categories) will be stored in accordance with the law only to preserve the integrity of the document containing the data, but will not be used for further purposes.
With reference to career opportunities specifically addressed to individuals included in protected category, if you are included in a so-called "protected category" and you intend to avail yourself of the benefits under Law 68/99, the consent will no longer be required as data processing is carried out according to art. 6.1(b) of the GDPR("Performance of a contract to which the data subject is party") in connection with art. 9.2(b) of the GDPR("Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data subject in the field of employment").
In case of a spontaneous application, your personal data will be stored for a maximum period of one (1) month in the case of a paper CV, or five (5) years in the case of an electronic CV, starting from the date of receipt or from the date of communication of the last updated CV. In case of participation in a selection, the documentation (e.g., CV, assessment forms, tests, candidate forms) are filed for five (5) years from the date of closure of the selection, to participate in other selections, and for 10 years for any protection in court of the rights of the data controllers. In this case, the legal basis of the processing is art. 6.1(b) of the GDPR ("Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract") and, as regards the exemption from the prohibition of processing of special categories of personal data, by art. 9.2(f) of the GDPR ("Processing is necessary for the establishment, exercise or defence of a right in court"). This period will start from the end of the year in which the call for application was published. Your personal data may be processed by employees and consultants of each data controller in charge of the staff selection, acting in compliance with specific instructions on objects and purposes of data processing. Your personal data may also be disclosed to third parties such as, for example, recruiting companies appointed data processors, and providing ancillary or instrumental services to the data controller.
In addition to accessing application profiles for its job vacancies, each data controller reserves the right to access profiles for job vacancies published by the other companies of the UPMC Group - each of which designated as data controller - in order to exchange information within the UPMC Group and facilitate the matching of job vacancies and job requirements based on the profiles of the candidates; the transfer of personal data of candidates within the UPMC Group is a legitimate interest of the data controller under art.6.1(f) in consideration of Recital 48 of the GDPR (“Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data”).
Due to the collaboration with the UPMC Group in Pittsburgh (U.S.A.), we inform you that your data may be transferred to the United States of America. Due to the fact that legislation in the U.S.A. does not guarantee, according to EU regulations, an adequate level of personal data protection, by signing the Standard Contractual Clauses approved by the European Commission, the UPMC Group commits to enforce safety measures to protect transferred personal data. A copy of these contractual clauses can be obtained contacting the DPO at the addresses indicated below. The data will not be disseminated in any way.
The DPO at ISMETT can be reached at:[email protected];
The UPMCI DPO can be reached at: [email protected];
The SMIH DPO can be reached at: [email protected]
As a data subject, you have the right to obtain from the data controller authorization to access, rectify or delete, and to limit or deny the processing of your personal data (art. 15 et seq., GDPR). When data processing is carried out on the basis of your consent, you may decide to withdraw it at any time. These rights can be exercised by a simple request forwarded to the DPO at each data controller at the addresses indicated above, or contacting the data controllers at [email protected] and [email protected]. A template of the request is available from the Italian Data Protection Authority ("Garante") here.
Should you deem your personal data has been processed in breach of the GDPR, you have the right to file a complaint to the Italian Personal Data Protection Authority ("Garante") pursuant to art. 77 of the GDPR or to bring action before the appropriate courts (art. 79 of the GDPR).
Last update: October 2023
