STAFF SELECTION PRIVACY POLICY

Privacy policy for candidates for Boggi Group selection

Privacy policy pursuant to articles 13-14 of Regulation (EU) 2016/679 (GDPR) and the Federal Law on Data Protection (LPD), and in compliance with the principles established by the privacy legislation of the United Kingdom (UK GDPR)

1.THE FOLLOWING COMPANIES

The following companies of the Boggi Group are joint data controllers:

  • STANCE S.A. with registered office in Via Maria Ghioldi Schweizer 1, 6850 Mendrisio (Switzerland);

    • and

  • B939 Sub-holding SPA, with registered office in Via Lancetti Nr.28 - 20158 Milan (MI) (Italy);

    • or

  • BBB SPA, with registered office in Via Lancetti No. 28 – 20158 Milan (MI) (Italy);

    • or

  • The individual retail companies where you are applying:

    • Boggi Hispania SLU with headquarters in Calle Serrano 8, 28001 Madrid;
    • Boggi France S.a.r.l. with headquarters in 112, Bd Saint Germain, 75006 Paris;
    • Boggi Deutschland Gmbh with headquarters in Theatinerstrasse 8 Fünf Hofe, 80333 Munich;
    • Boggi Austria Gmbh with headquarters in Seilerstätte 16, 1010 Vienna;
    • Boggi Hong Kong Limited with headquarters in Unit 304 – 7, 3/F Laford Centre 838 Lai Chi Kok Road, Cheung Sha Wan, Kowloon, HK;
    • Boggi Luxembourg S.a.r.l. with headquarters in 34, Rue Philippe Ii, L-2340 Luxembourg;
    • Boggi Belgium NV with headquarters in Av. Toison D'or 47a, 1050 Brussel;
    • Boggi Singapore PTE Ltd. with headquarters in 16 Raffles Quay #33-03, Hong Leong Building;
    • Boggi Sweden AB with headquarters in Tönnerviks Horwath Revision Syd Ab Södra Vallviksvägen 12, 352 51 Vȃxjö;
    • Boggi Hungary KFT with headquarters in H-1134 Budapest, Váci Út 33;
    • Boggi Macau Limited with headquarters in Avenida Praia Grande, N°S 367-371, Keng Ou Building, 17th Floor C, Macau;
    • Boggi Holland BV with headquarters in Pieter Cornelisz. Hooftstraat 38 A, 1071BZ Amsterdam;
    • Boggi Hellas Societe Anonyme with headquarters in 12, Navarinou Street P.C. 10680 Athens;
    • B1939M Unipessoal LDA with headquarters in Rua Alexandre Herculano, Nr.23, 2.º Santo António 1250 008 Lisboa;
    • BOGGI UK LTD with headquarters in 79, Jermyn Street Sw1y61x, London;
    • BOGGI SWITZERLAND SA with registered office in Via Maria Ghioldi Schweizer 1, 6850 Mendrisio (Switzerland).

DATA PROTECTION OFFICER – DPO

The Group has appointed its own Data Protection Officer (DPO) pursuant to articles. 37, 38 and 39 of the GDPR.

The Joint Controllers and the designated DPO can be reached at the office indicated above and via e-mail at the address: privacy@boggi.com

2.TYPE OF DATA THAT MAY BE PROCESSED

Personal data: any information relating to an identified or identifiable natural person («data subject»); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of his or her physical, physiological, genetic, psychological, economic, cultural or social identity.

Any special data: personal data capable of revealing racial or ethnic origin and data relating to the person's health and based on laws on compulsory hiring (e.g. protected categories and compulsory hiring as per applicable regulations).

Based on Law or Regulations, any data relating to criminal convictions and crimes or related security measures (see art. 10 GDPR): The personal data relating to criminal convictions and crimes or related security measures on the basis of Article 6(1) must only be processed under the control of the public authority or if the processing is authorised by European Union or Member State law which provides appropriate guarantees for the rights and freedoms of the data subjects.

3. SOURCE OF DATA (in case of data collected from third parties and not directly from the data subject). We may obtain your personal data through recruitment agencies and/or headhunters.

4. PURPOSE OF THE PROCESSING, LEGAL BASIS, RETENTION PERIOD, NATURE OF THE PROVISION

       PURPOSE OF THE PROCESSINGLEGAL BASISDATA RETENTION PERIODNATURE OF THE PROVISION
A) Selection of personnel, scarrying out research and selection of personnel for the purpose of the possible establishment of an employment relationship, also for any positions different from those for which the data subject applied spontaneously; retention of personal data also for future selections; managing applications in response to job offers published on our website; interviews and any video interviews (data processing including image/audio). Data processing is necessary for the execution of pre-contractual measures adopted also at the request of the data subject Article 6, par. 1, letter b) of the GDPR In principle, the data collected during the hiring process will be deleted as soon as it becomes clear that no offer of employment will be made or that the offer will not be accepted by the candidate and at a maximum of 12 months. The provision of personal data is necessary to process data for selections. Failure to provide the necessary personal data will make it impossible to apply.
B) Management of your applications and applications of other data subjects, pursuant to art. 15 et seq. of the GDPR (rights of the data subject) The processing is necessary to fulfil a legal obligation to which the Joint Data Controllers are subject (C45) Article 6, par. 1, letter c) of the GDPR 5 years from the closing of the application, barring disputes The provision of personal data is mandatory, as it is essential to fulfil legal obligations.
C) Collection of information contained on the candidate's publicly accessible social media profiles; The Joint Controllers may collect and process the candidate's personal data to the extent that such collection is necessary and relevant for the execution of the research activity relating to the job task. The processing is necessary for the pursuit of the legitimate interests of the joint controllers or third parties, provided that the interests or fundamental rights and freedoms of the data subject which require protection of personal data do not prevail (C47-C50) Article 6, par. 1, letter f) of the GDPR In principle, the data collected during the recruitment process will be deleted as soon as it becomes clear that no offer of employment will be made or that the offer will not be accepted by the candidate. Maximum 12 months The provision of personal data is optional. Failure to provide personal data does not make it impossible to undergo the selection process
D) Selection of personnel from other group companies. Communication of personal data and curriculum vitae to group companies for their selections. The processing is necessary for the pursuit of the legitimate interestsection of personal data do not prevail (C47-C50) Article 6, par. 1, letter f) of the GDPR In principle, the data collected during the recruitment process will be deleted as soon as it becomes clear that no offer of employment will be made or that the offer will not be accepted by the candidate and at a maximum of 12 months. The provision of personal data is optional. The refusal must be balanced with the legitimate interest of the Joint Data Controllers
E) Verification, over the previous three years, of the candidate's employment relationships, including the indication of names/data referring to previous employers, start dates of the employment relationship and the position held. Processing is necessary for the pursuit of the legitimate interests of the joint controllers or third parties, provided that the interests or fundamental rights and freedoms of the data subject which require protection of personal data do not prevail, taking into account the reasonable expectations of the data subject (Art. 6, par. 1, letter f and C47 of the GDPR) In principle, the data collected during the hiring process will be deleted as soon as it becomes clear that no offer of employment will be made or that the offer will not be accepted by the candidate and at a maximum of 12 months. The provision of personal data is optional. The refusal must be balanced with the legitimate interest of the Joint Data Controllers

5. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE DATA

The data will not be disclosed but rather communicated to subjects who will process them as independent data controllers or data processors (art. 28 GDPR) through natural persons (art. 29 GDPR) who act under their authority on the basis of specific instructions provided regarding the purposes and methods of processing. The data will be communicated to recipients belonging to the following categories:

  • Group companies;
  • Subjects who manage/support/assist, even occasionally, the Joint Controllers in the administration of the information system and telecommunications networks (including e-mail, websites and/or web platforms also for training and video calls, SW, HW, APP , badges and attendance/access tools);
  • firms or companies based in Italy in the context of assistance and consultancy relationships;
  • any third parties and labour consultants and companies for personnel selection purposes;
  • subjects and SB 231/2001 members based in Italy*;
  • Competent authorities for compliance with legal obligations and/or provisions of public bodies, upon request.

The complete list of data controllers identified pursuant to art. 28 is available by writing to the addresses indicated above.

[*: if you are applying for a position at BBB SPA]

6. DATA TRANSFER

Personal data may be processed by each Joint Controller. It is specified, in particular, that the data will be retained in Europe.

7. AUTOMATED PROCESS

Personal data will be subjected to traditional manual, electronic and automated processing. Please note that fully automated decision-making processes are not carried out.

8. RIGHTS OF DATA SUBJECTS

You will be able to assert your rights as stated in articles. 15 et seq. GDPR, by contacting the DPO or the individual Joint Data Controller at the address above. You have the right, at any time, to request access to your personal data (art.15), rectification (art.16), erasure of the same (art.17), restriction of processing (art.18 ). The Joint Data Controllers communicate (art. 19) to each of the recipients to whom the personal data have been transmitted any rectifications, erasures or restrictions of the processing carried out. The Data Controllers communicate these recipients to the data subject if the data subject requests it. In the cases provided for, you have the right to the portability of your data (art.20) and in this case they will be provided to you in a structured format, commonly used and readable by an automatic device. You have the right to oppose (art.21), at any time, the processing of data based on legitimate interest, and in cases where the legal basis is consent, you have the right to withdraw the consent given without prejudice to the lawfulness of the processing based on consent before withdrawal. In the event that the data subject believes that the processing of personal data carried out by the Joint Controllers is in violation of the provisions of Regulation (EU) 2016/679, he/she has the right to lodge a complaint with the Supervisory Authority, in particular in the Member State in question where he/she habitually resides or works or in the place where the alleged violation of the regulation occurred (Data Protection Authority https://www.garanteprivacy.it/), or to take action through the appropriate judicial offices.

9. CHANGES TO THE PRIVACY POLICY

The joint controllers reserve the right to change, add or remove any part of this Privacy Policy.

Update date: 6 March 2024