Information Notice for Candidates

Articles 13-14 of Regulation (EU) 2016/679 (GDPR)

Data Controller

The Data Controller is:
Gnutti Transfer S.p.A, a sole shareholder joint-stock company, headquartered at via D. Ghidoni 187, Ospitaletto (BS), Italy, VAT and Tax Code 03083060172.
Contact Information:

  • Email: privacy@gnutti.com
  • Phone: +39 030 64 00 61
  • Fax: +39 030 64 07 45

Sources and Categories of Personal Data Processed

The personal data processed are collected:

  1. Directly from the candidate, via CV or other direct application methods.
  2. From third parties, such as databases or private investigation companies.

Only common personal data (e.g., identification, curriculum data) are processed. Candidates are not required to provide special categories of data (e.g., health status, racial or ethnic origin, political opinions, union membership, biometric data, etc.), unless explicitly requested for specific purposes related to the establishment of an employment relationship (e.g., membership in protected categories).

Purpose and Legal Basis for Processing

Personal data are processed for:

  • Assessing the requirements for employment or collaboration.
  • Responding to the candidate’s application.

Legal Basis:

  • Article 6(1)(b) of the GDPR: Processing is necessary for pre-contractual measures requested by the candidate.
  • For special categories of data, explicit consent is required under Article 9(1)(a) of the GDPR.

Provision of Data and Consequences of Refusal

  • Optional: Providing personal data via CV is voluntary.
  • Mandatory for Verification: If additional data is requested, failure to provide them will prevent the verification of employment or collaboration requirements.

Processing Methods

Data processing is carried out using:

  • Paper, IT, and telematic tools.
  • Manual or automated procedures that ensure security and confidentiality.

No automated decision-making processes (including profiling) are applied.

Data Transfer Outside the EU

Data processing primarily occurs in Italy and the EU but may extend to non-EU/EEA countries when operationally necessary, ensuring compliance with GDPR safeguards.

Data Retention Period

Personal data will be retained for up to 5 years from their collection, unless an employment or collaboration relationship is established.

Categories of Recipients

Personal data will be shared with:

  • Internal or external data processors and controllers responsible for specific tasks.
  • Third parties, only in cases required by law.

Data will not be disseminated, unless mandated by legal obligations.

Rights of the Data Subject

The data subject may exercise their rights under Articles 15-22 of the GDPR at any time, including:

  • Access to personal data.
  • Rectification or updating of data.
  • Deletion (right to be forgotten) or restriction of processing.
  • Data portability to another controller.
  • Objection to processing.
  • Withdrawal of consent, without affecting the lawfulness of processing prior to withdrawal.
  • Filing a complaint with the Data Protection Authority (www.garanteprivacy.it).

Security Measures

The organization ensures data protection through adequate and updated security systems, in compliance with Article 5 of the GDPR.