The submission of applications and the verification of the requirements for employment and/or the start of a collaboration with Ferrari Fashion School S.r.l. involve the collection of information that constitutes personal data pursuant to Legislative Decree 196/2003, as amended and supplemented (hereinafter, the “Code”), as well as Regulation (EU) 2016/679 (hereinafter, the “GDPR”).
1.DATA CONTROLLER
The data controller is Ferrari Fashion School S.r.l. (“the Company”), with registered office at Via U. Visconti Di Modrone 2, 20122 Milan – Italy, VAT no. 12581670960 and Tax Code 08913130962, (hereinafter, the “Controller” or “Ferrari”) and provides candidates (hereinafter, the “Candidates”), who submit an application request, with the privacy notice pursuant to Art. 13 of the GDPR.
The Controller may be contacted at any time at the email address: privacy@ferrarifashionschool.com or at the address indicated above.
The Controller has not appointed a Data Protection Officer (DPO), as it is not subject to the designation obligation provided for by Art. 37 of the Regulation.
2. DATA PROCESSED
The data processed, through the submission and analysis of the application for the purposes of employment and/or the start of a collaboration, are name, surname, place and date of birth, nationality, residence/domicile (hereinafter, the “Personal Details”), telephone number and email address (hereinafter, the “Contact Details”) and all further data contained within the Candidate’s curriculum vitae. Therefore, the Candidate must not indicate personal data belonging to special categories – such as, pursuant to Art. 9 of the GDPR, data capable of revealing racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-union nature, as well as personal data capable of revealing health status and sex life – which will in any case, if voluntarily provided by the Candidate, be immediately deleted.
3. PURPOSES AND LEGAL BASES OF PROCESSING
The Personal Details, Contact Details and all further data provided by the Candidate (hereinafter, jointly, the “Data”) are processed only for the evaluation of the application.
More specifically, the Data are used to (i) examine the Candidate’s application request and (ii) proceed with the verification of the requirements for employment and/or for the start of a collaboration.
The legal basis for the processing of the data collected is the performance of a contract to which the data subject, as data subject, is a party and/or the performance of pre-contractual measures adopted at the request of the data subject (Art. 6, paragraph 1, letter b) of the GDPR). Where necessary, the data may also be used on the basis of the Controller’s legitimate interest in carrying out defensive activities or asserting or defending a right in court pursuant to Art. 6, paragraph 1, letter f) of the GDPR.
4. RECIPIENTS OF DATA COMMUNICATION
The Data provided may be known by: (i) the employees and collaborators of the Controller, duly designated to process the data pursuant to Art. 29 of the GPDR; (ii) third parties that provide ancillary or instrumental services from an IT perspective for the management of the Controller’s application activities, duly appointed as external data processors or independent controllers; (iii) consultants for the management of litigation and for legal assistance, as independent controllers, in the event of any disputes for which their involvement becomes necessary.
The Candidate may also request from the Controller the list of the subjects who will operate as data processors (in such case, they are appointed in writing by the Controller, pursuant to Art. 28 of the GDPR, and will process personal data on behalf of the Controller) or as independent data controllers.
In any other case, the Data will not be communicated to third parties, unless this is necessary to comply with requests from public authorities.
5. PLACE OF DATA PROCESSING
The Processing of the Data will take place at the Controller’s office indicated above. The Data will be stored on servers and/or physical archives located exclusively within the European Union. However, in the event that the Data are transferred outside the European Union, the Controller will ensure that the transfer takes place in compliance with the GDPR and, in particular, in compliance with Arts. 45 (Transfer on the basis of an adequacy decision) and 46 (Transfer subject to appropriate safeguards) of the GDPR.
Therefore, in any case, no processing or transfers of the Data will be carried out outside the territory of the European Union or to countries that do not provide adequate guarantees for the protection of personal data.
6. PROCESSING METHODS, RETENTION PERIOD AND SECURITY MEASURES
The Controller will process the Data with and without the aid of electronic, IT or automated tools, adopting specific logical, organizational and technical security measures to prevent data loss, unlawful or incorrect use and unauthorized access.
The Data will not be processed and stored for a period of time longer than strictly necessary to achieve the purposes for which they were collected. In particular, for a period that allows the application to be evaluated and the Candidate to be selected and in any case no longer than one year from their collection, unless an employment and/or collaboration relationship is established.
Any defensive needs of the Controller and of the Candidate remain unaffected, for which the Data may also be stored beyond the terms indicated.
7. MANDATORY NATURE OF PROVIDING DATA
The provision of the Data for the purposes referred to in paragraph 3, points (i) and (ii), is optional and is left to the will of the Candidate who, without any solicitation by the Controller, submits their curriculum vitae. With regard to the Data subsequently and possibly requested by the Controller, failure to provide them entails the impossibility of proceeding with the verification of the requirements for employment and/or for the start of the collaboration and, therefore, with the possible establishment of the relationship with the Controller.
8. RIGHTS OF THE DATA SUBJECT
Candidates, as data subjects (i.e., subjects to whom the Data refer), hold rights granted by the GDPR. In particular, pursuant to Arts. 15-22 of the GDPR, they have the right to request and obtain (i) the origin of the personal data; (ii) the purposes and methods of processing; (iii) the logic applied in the event of processing carried out with the aid of electronic tools; (iv) the identification details of the controller and processors; (v) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of them as processors or persons in charge.
Furthermore, Candidates have the right to obtain:
a) access, updating, rectification or, where they have an interest, integration of the data;
b) erasure, transformation into anonymous form or restriction of data processed in breach of the law, including data whose retention is not necessary in relation to the purposes for which the data were collected or subsequently processed;
c) certification that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except where such compliance proves impossible or involves the use of means manifestly disproportionate to the protected right.
Furthermore, Candidates have:
a) the right to withdraw consent at any time, where the processing is based on their consent;
b) the right to data portability (the right to receive all personal data concerning them in a structured, commonly used and machine-readable format);
c) the right to object:
i) in whole or in part, on legitimate grounds, to the processing of personal data concerning them, even if relevant to the purpose of collection;
ii) in whole or in part, to the processing of personal data concerning them for the purposes of sending advertising material or direct sales or for carrying out market research or commercial communication;
iii) where personal data are processed for direct marketing purposes, at any time, to the processing of their data carried out for such purpose, including profiling to the extent that it is related to such direct marketing.
d) where they believe that the processing concerning them violates the GDPR, the right to lodge a complaint with a Supervisory Authority (in the Member State where they usually reside, where they work or where the alleged violation occurred). The Italian Supervisory Authority is the Garante per la protezione dei dati personali, with offices in Piazza Venezia no. 11, 00187 – Rome (http://www.garanteprivacy.it/). To exercise their rights, it is always possible to contact the Controller at the contact details indicated above.