Who are we and what do we do with your personal data?

IGD SIIQ S.p.A., hereinafter the Data Controller, protects the confidentiality of your personal data and provides it with the necessary protection from any event that may put it at risk of violation.

For this purpose, the Data Controller implements policies and practices regarding the collection and use of personal data and the exercise of your rights under applicable law. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever necessary and in any case in the event of regulatory and organisational changes that may affect the processing of your personal data.

The Data Controller appointed a Data Protection Officer (DPO) who you can contact if you have questions about adopted policies and practices. The contact details of the Data Protection Officer are as follows: dpo@gruppoigd.it

How does the Data Controller collect and process your data?

The Data Controller collects and/or receives information about you, such as:

• name, surname, tax code, email, address, telephone number, id code
• data relating to health certificates
• salary data
• data log pertaining to the use of computer equipment

Your personal data will be processed for the following purposes:

 to manage the internship contract and the consequent obligations, regulatory or otherwise

Your personal data are processed in order to manage the internship contract in all its phases, such as:

• the correct quantification of remuneration, for allowances, bonuses, other remuneration, donations and fringe benefits
• compliance with legal and contractual obligations
• the fulfilment of specific obligations or the performance of specific tasks arising from laws, regulations or collective bargaining agreements, including company agreements, in particular to establish, manage and terminate the internship contract, as well as to grant facilitations and apply regulations concerning trade union matters and health protection
• the fulfilment of obligations in respect of pension and social security institutions
• compliance with tax obligations towards the tax authorities
• fulfilment of the obligations deriving from the rules on occupational health and safety
• performing all the activities that are instrumental and ancillary to the main activities and in any case needed to achieve said purposes (registration, archiving, consultation and retention of data, etc.)

Your data may also be collected from third parties such as, for example:

• other data controllers, e.g. the companies of the group to which the Data Controller belongs, employment centers, universities, promoters companies.

It will be your responsibility to inform the Data Controller of any change in the data subject to processing, in order to ensure proper management of contract, without prejudice to your right to correction.

2) for communication to recipients and/or third parties

Your personal data is processed under the contract and the legal and regulatory obligations resulting from it.

Your data will not be disclosed to third parties/recipients for their own purposes unless:

1. you authorise to do so.

Your data will not be disclosed to third parties/recipients if:

1. it is necessary for the fulfilment of obligations under the contract and law regulations governing it (e.g. for the defence of your rights, for reporting to the supervisory authorities, etc.);
2. the communication is made to business consultants, job consultants, Lawyers, companies of the Group to which the Data Controller belongs, IT consultants, banks,  Public Entities;
3. any third parties (family members, cohabitants) you may have delegated to receive information that concerns you.

3) for information security activities

The Data Controller processes, also through its suppliers (third parties and/or recipients), your personal data, including IT (e.g. logical access) or traffic data collected or obtained in the case of services displayed on the website www.gruppoigd.it to the extent strictly necessary and proportionate to ensure the security and capacity of a network or its servers to withstand, at a given level of security, unforeseen events or unlawful or malicious acts that compromise the availability, authenticity, integrity and confidentiality of retained or transmitted personal data.

For these purposes, the Data Controller envisages procedures for the management of personal data breach in compliance with the legal obligations to which it is subject.

4) for the management of the company work tools used to work

The Data Controller processes your data, including IT (system and network logs), detected by the electronic instrumentation and made available to its employees in compliance with the guarantees referred to art. 4, paragraphs 2 and 3, L. 300/1970 and GDPR provisions, in order to allow you to carry out your work safely and to:

o manage organizational and production needs;

o guarantee work safety;

o take measures to protect the corporate assets;

o fulfill any requests for the judicial authority.

Below you can find a table of the instruments that process personal and / or identification data:

What happens if you do not provide your data?

If you do not provide your personal data, the Data Controller will not be able to carry out the processing operations related to the management of the contract and its services or the obligations that depend on it.

The Data Controller informs you that if you don’t communicate or communicate wrong data it could impossible:

• to fulfil the contract;
• to fulfil the contract (also through third parties / recipients) in all its phases, from keeping the accounts to the fulfill of taxation, social security (e.g. INAIL, etc.), health, hygiene and safety at work obligations (D.lgs. 81/2008)
• to fulfil fiscal and administrative obligations or labor legislation.

The intention of the Data Controller was to carry out certain processing operations in accordance with certain legitimate interests that do not affect your right to confidentiality, such as those that:

• allow the management of your contract;
• allow to manage organizational and production needs, to protect the corporate assets or guarantee work safety;
• prevent IT accidents and allow notification to the supervisory authority or communication to users, if necessary, of the personal data breach;
• allow the communication of your personal data to to Public Entities for administrative purposes;
• allow communication to third parties/recipients for activities related to those of contract management.

How, where and for how long are your data stored?

How

Data processing is carried out on paper or through IT procedures by internal subjects authorised and trained for this purpose. They are granted access to your personal data to the extent and within the limits required for carrying out the processing activities that concern you.

The Data Controller periodically checks the tools by means of which your data is processed and its security measures, which it constantly updates; it makes sure, also through the subjects authorised to process the data, that personal data for which processing is not necessary is not collected, processed, stored or retained; it makes sure that the data is retained with the guarantee of integrity and authenticity of its use for the purposes of the processing actually carried out.

Where

The data is retained on paper, computer and electronic files located within the European Economic Area, and appropriate security measures are ensured.

How long

The personal data processed by the Data Controller is retained for the time necessary for the carrying-out of activities related to the management of the contract with the Data Controller and until ten years after its conclusion (art. 2946 of the Italian Civil Code) or from when the rights that depend on it can be enforced (pursuant to art. 2935 of the Italian Civil Code); as well as for the fulfilment of the obligations (e.g. tax and accounting obligations) that remain even after the conclusion of the contract (art. 2220 of the Italian Civil Code), for the purposes of which the Data Controller must retain only the data necessary for their furtherance. This is without prejudice to the cases in which the rights deriving from the contract should be asserted in court, in which case your data, only that necessary for these purposes, will be processed for the time necessary to pursue them.

The retention of your personal data collected through work tools is specified in paragraph 4.

This is without prejudice to your right to oppose at any time the processing based on legitimate interest for reasons related to your particular situation.

What are your rights?

In substance, at any time and free of charge and without any special charges or formalities for your request, you can:

• obtain confirmation of the processing carried out by the Data Controller;
• access your personal data and know its origin (when the data is not obtained directly from you), the purposes of the processing, the data of the subjects to whom it is communicated, the period of retention of your data or the criteria used to determine it;
• withdraw your consent at any time if this is the basis for the processing. In any case, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
• update or rectify your personal data so that it is always accurate and correct;
• erase your personal data from the databases and/or files, including backup files, of the Data Controller, if, among other things, it is no longer necessary for the purposes of the processing or if this is deemed unlawful, and provided that the conditions laid down by law are met; and in any event if the processing is not justified by another equally legitimate reason;
• restrict the processing of your personal data in some circumstances, for example if you have contested its accuracy, for the period required for the Data Controller to check its accuracy. You must also be informed, in reasonable time, of when the period of suspension has ended or the cause of the restriction of processing has ceased to exist, and therefore the restriction itself withdrawn;
• obtain your personal data, if received and/or in any case processed by the Data Controller with your consent and/or if its processing is carried out on the basis of a contract and with automated tools, in electronic format also in order to transmit it to another data controller.

The Data Controller must do so without delay and, in any case, at the latest within one month of receipt of your request. The time limit can be extended by two months, if necessary, taking into account the complexity and the number of requests received by the Data Controller. In such cases, the Data Controller will inform you of the reasons for the extension within one month of receipt of your request.

For any further information and to send your request, please contact the Data Controller at privacy@gruppoigd.it

How and when can you oppose the processing of your personal data?

For reasons relating to your specific situation, you may oppose at any time the processing of your personal data if this is based on legitimate interest, by sending your request to the Data Controller at the email address privacy@gruppoigd.it

You have the right to have your personal data erased if there is no legitimate reason overriding the one that gave rise to your request.

Who can you complain to?

Without prejudice to any other administrative or judicial action, you may submit a complaint to the competent supervisory authority or to the authority that carries out its tasks and exercises its powers where you have your habitual residence or work or, if different, in the Member State where the violation of Regulation (EU) 2016/679 occurred.

Any update of this information will be communicated to you in a timely manner and by appropriate means and you will also be informed if the Data Controller will process your data for purposes other than those referred to in this information before carrying it out and in time to give your consent if necessary.