Aegis Srl
FOR CLIENTS top
INFORMATION NOTICE PURSUANT TO SECTIONS 13 AND 14 GDPR
Dear Data Subject,
In accordance with the provision set forth by the European Regulation 2016/679 of the EU Parliament and of the Counsel dated April 27, 2016, concerning the protection of natural persons with regard to processing of personal data (hereinafter, the “GDPR” or the “Regulation”), Aegis S.r.l., in person of its pro tempore legal representative. having its legal offices in Milan, via Gaetano Negri 8, 20123, VAT number 03516140963, certified e-mail address: aegishr@legalmail.it, in its quality of controller of your personal data (hereinafter, the “Controller”), and, where applicable, Aegis UK – Recruiting & Consulting Ltd. in person of its pro tempore legal representative, having its legal offices in 20 Fitzroy Square W1T 6EJ – London, United Kingdom, VAT number 255 7676 63, certified e-mail address: aegishr@legalmail.it, in its quality of processor of your personal data, provide you with the present information notice, pursuant to Sections 13 and 14, GDPR, in relation to the processing of your personal data communicated to us by you or by third parties (hereinafter, the “Information Notice”).
- Identity and Contact details of the Controller
Aegis S.r.l., having its legal offices in Milan, via Gaetano Negri 8, 20123, VAT number 03516140963, certified e-mail address: aegishr@legalmail.it, in person of its pro tempore legal representative
- Contact of the Data Protection Officer
Aegis S.r.l. has appointed as Data Protection Officer Mr. Antonio Virgallita, available at the following email address: privacy@aegishcg.com.
You will be free to contact the DPO for any matter related to the processing of your personal data and/or should you want to exercise your rights, as indicated and described below, sending out a written communication at the email address above.
- Purposes of the processing for which the personal data are intended and related legal basis
Personal data will be processed:
(i) without your consent (Section 6, items b, c, f, GDPR), for the following purposes:
a) performance of pre-contractual and contractual obligations deriving from the execution of a possible contract (service provision);
b) compliance with legal obligations, as provided for by a regulation or a law (national or EU), or perform an order of public or judicial Authority or controlling Authority to which the Controller is subject;
c) exercise of the rights of the Controller, with particular reference to judicial defensive rights.
d) direct marketing of services, promotional events and commercial and/or professional activities; distribution of information materials, sending out of commercial newsletters and publications directly related to the activities performed by the Controller, as well as anonymous sector analysis for dissemination purposes;
e)management of surveys and customers’ satisfaction questionnaires;
f) storage of information related to these activities
The collection of your personal data for the purposes under par. (i), from a) to c) above, is necessary. Any express refusal to provide such data may cause the impossibility to the Controller to perform the contractual services and to comply with obligations to which the Controller is subject.
The processing of your personal data for the purposes under par (i), from d) to f) is necessary for the purposes of the legitimate interest pursued by the Controller, after verifying that rights and freedoms of the data subject do not overrule such interest.
The legitimate interests of the Controller shall include, by way of example, the response to requests received from you or from third party, optimizing of the experience of its customers, effective and appropriate communication related to services and activities performed by the Controller, as well as dissemination activities and services.
The data subject will have the possibility to refuse the sending of such communication by means of a request to be sent by email to the following certified email address: privacy@aegishcg.com.
- Processed Categories of Personal Data
Pursuant to Section 4, n. 1, GDPR, for “personal data” and within the purposes of processes mentioned under par. 2) above, we shall exclusively process those personal data concerning, by way of example, your name and family name, tax code, date of birth, VAT number, residence, domicile, number of passport and/or ID, work address, email, certified email address, phone and fax numbers, and, possibly, employer company, business role and/or position.
Pursuant to principle of “data minimization” stated by section 5, n.1, GDPR, you will not to send your personal data to the Controller, except where personal data are strictly necessary to perform contractual and / or commercial activities. In such a case, personal data should be transferred to the Controller anonymously or under pseudonyms, as expressly stated by GDPR.
Should it be necessary to process more data in addition to the ones of legal representative and/or contact persons, for the purpose of executing contractual relationship with a customer (legal entity, hereinafter, the “Client”), and if these personal data could not be obtained in anonymous form or under pseudonyms, the Client declares and guarantees that the processing of personal data will be in compliance with GDPR for all data that will be communicated to the Controller during the performance of the contract. In particular, the Client declares that it has been provided to any Data Subject an adequate information notice in which it is expressly mentioned the possibility to provide personal data to third entities and to have obtained the necessary consents for the purpose.
The Client undertakes to indicate to its employees and/or collaborators that the present Information Notice is also available on the website www.aegishcg.com, so that the Information Notice can be provided by the Controller to the data subject, pursuant to Sections 13 and 14, GDPR.
- Categories of Personal Data Recipients
Your personal data you will submit to us for the purposes mentioned under par. 2, above, could be transferred to:
- employees and collaborators of the Controller and / or other subsidiaries or related entities, or entities belonging to the same companies’ group to which the Controller is party thereof, as well as companies where the Group detains shares (Aegis UK, Aegis Human Consulting Group S.r.l.) in their capacity of persons authorized to process personal data or data processor;
(ii) any third party (such as provider for management and maintenance of website, credit institutions, professional firms, providers of services of consultancy and/or training and/or assessment and, in general, third parties with which the Controller has executed a contractual relationship for the performance of the activities under par. 3 above), performing outsourced activities on behalf of the Controller, in their capacity of data processors;
(iii) any judicial or controlling Authority, public entities (whether national or foreign ones);
The updated list of Processors and persons who are authorized to process personal data is available by Controller’s seat.
- Storage and Transfer of Personal Data to Third Countries
Your personal data will be processed, managed and stored on servers located within EU and may be transferred, if necessary for the performance of the activities under par. 3 above, to some countries outside EU (UK).
Should it be necessary to use third party’s activities which have their seats outside EU-countries, we inform you, here and now, that:
- the Controller has arranged to appoint these subjects as data processors pursuant to Section 28, Regulation executing a specific agreement which guarantees the transfer with appropriate safeguards and in compliance with the GDPR principles and
- The transfer of your personal data to these subjects is performed in strict compliance with provisions of Section 44 et seq of the Regulation.
This ensure you that will be adopted all necessary measures to guarantee you the complete personal data protection, because the transfer will be based on standard contractual clauses or other legal basis drafted to safeguard your rights and interests.
Your personal data will not subject to dissemination.
- Personal Data Storage Period
Your personal data provided for the purposes indicated under par. 2, section (i) above, are processed and stored for the entire duration of the executed contract; as of the termination of such contractual relationship, for whichever reason or cause, personal data will be stored as long as time-barring legal terms will be elapsed.
- Exercisable Rights
In compliance with the provisions under Chapter III, Section I, GDPR, you may exercise the rights therein indicated and in particular:
(i) right of access;
(ii) obtain the rectification or the erasure of personal data or the limitation to processing from Controller. In case of the request of erasure, the data subject has the right to obtain that Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data;
(iii) right to object to the processing of personal data;
(iv) right to data portability;
(v) right to withdraw the consent at any time; the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
(vi) right to lodge a complaint with the Supervisory Authority.
You may exercise such rights by means of a request to be sent by email to the following certified email address: privacy@aegishcg.com
- Processing Operations
Your personal data are processed through the operations indicated in section 4, n.2), GDPR. Performed by not automated means – in particular: collection, recording, organization, structuring, update, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction of data.
Personal Data of data subject will be processed through traditional (modules, forms, etc.) or computer tools.
Whichever the way, it will guaranteed their security, logical and physical, and overall their confidentiality.
Last update: March 2024
FOR CANDIDATES top
Information Privacy notice for the acquisition of CV and information about candidates (by web site or other means) pursuant to Section 13, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, respectively, the “Information Notice” and the “Regulation” or the “GDPR”)
In accordance with the provision set forth by the Regulation, Aegis S.r.l., having its legal offices in Milan, via Gaetano Negri 8, 20123, VAT number 03516140963, certified e-mail address: aegishr@legalmail.it, in person of its pro tempore legal representative as controller of your personal data (hereinafter, the “Controller”), possibly acting also through Aegis UK - Recruiting & Consulting Ltd. having its legal offices in 20 Fitzroy Square W1T 6EJ - London, UK, VAT number 255 7676 63, e-mail address: aegishr@legalmail.it, in person of its pro tempore legal representative as processor of your personal data provides you with the present information notice, pursuant to Section 13, GDPR, in relation to the processing of your personal data communicated to us by you or by third parties.
- Identity and Contact details of the Controller
Aegis S.r.l., in person of its pro tempore legal representative, having its legal offices in Milan, via Gaetano Negri 8, 20123, VAT number 03516140963, certified e-mail address: aegishr@legalmail.it (hereinafter, the “Controller”).
- Contact of the Data Protection Officer
Aegis S.r.l. has appointed as Data Protection Officer Mr. Antonio Virgallita, available at the following email address: privacy@aegishcg.com.
You will be free to contact the DPO for any matter related to the processing of your personal data and/or should you want to exercise your rights, as indicated and described below, sending out a written communication at the email address above.
- Purposes of the processing for which the personal data are intended and related legal basis
Your personal data will be processed:
(i) without your consent (Section 6, items b, c, f, GDPR), for the following purposes:
- activities related and aimed at personnel recruitment and selection and updating of such activities, for present or future job positions, to be included in the organization of companies or other entities for which the Controller operates, as well as receive free services offered by the Controller such as, but not limited to, active labour policies, courses, training, sector studies on anonymous basis, aimed at the provision of informative and divulgative services by the Controller;
- compliance with legal obligations, as provided for by a law (Italian or UE), a regulation applicable to the sector of the Controller, collective labour agreement or other binding legal provisions (in particular, on tax, social security, health and safety at work, public order and security), as well as to ascertain, exercise or defend the rights of the Controller in extrajudicial and/or judicial proceedings, for the entire duration of the litigation, until the time limits for appeal actions have expired;
- Any personal data you provide that falls under special categories of data pursuant to Art. 9, GDPR will be processed by the Data Controller, only where necessary and relevant, to evaluate your application for job positions falling under the scope of targeted employment. In this case, the legal basis for the processing is the need to fulfill the obligations and exercise the specific rights of the Data Controller or the Data Subject in the field of labour law and social security and protection, to the extent authorized by EU or Member States' law or by a Trade Union agreement under the law of the Member States, where there are appropriate safeguards for the fundamental rights and interests of the data subject (Art. 9.2, lett. b, GDPR);
- the Data Controller may process public information regarding your profile present on social networks of a professional nature in order to verify that the data you have provided corresponds to what you have declared, limited only to information of a professional nature, necessary for the sole purpose of assessing the specific risks related to the type of activity to be carried out according to the requested profile, taking all necessary measures to ensure the proper balancing of your interests, fundamental rights and freedoms with our legitimate interest.
(ii) with your consent (Section 7, GDPR)
- communication of your personal data, including special categories of personal data pursuant to Sections 9 and 10, GDPR, in addition to those belonging to sheltered group that are eventually provided by the data subject, as well as individual reports, with a short descriptive profile drafted by the Controller further to one or more interviews and any possible result of the assessment activities performed to third parties which entertain a relationship with the Controller for personnel recruitment and selection services;
The transfer of personal data for the purposes indicated above under sec. (i) will be compulsory. Any lack of the data and/or any express refusal of consent to process such data, may cause the impossibility to the Controller to perform the activities for which it has been contacted or has contacted the candidate, also if related to the recruitment and selection process. As far as concerns the performance of sector studies on anonymous basis, the Data Subject can obtain the suspension of the sending out of any possible questionnaire by e-mail, sending a specific request to the following address: privacy@aegishcg.com.
The transfer of personal data for the purposes indicated above under sec. (ii) will be on voluntary basis; consequently, you may decide not to provide any consent or to waive it at any moment. In the latter case, the Controller will not be able to perform, however, most of the services that normally provides to the candidates, it being impossible any communication of the personal data to third parties to which the Controller provides personnel recruitment and selection services. Should the consent be provided, the Controller informs you that, pursuant to section 7, GDPR, the same consent will be deemed as valid and effective for a period of 48 months from the date on which the same was given and/or renewed, it remaining understood that the Data Subject may at any time request the cancellation and without prejudice to all your rights set forth by the Regulation. Such term has been set by the Controller on the basis of the average duration of the recruitment and selection mandates received by its clients.
- Processed Categories of Personal Data
Personal data processed by the Data Controller include, but are not limited to, first name, last name, place and date of birth, tax identification number, residence, gender, business identification number, location data, an online identifier or one or more characteristic elements of your physical, physiological, genetic, mental, economic, cultural or social identity, telephone contacts, educational qualification, work experience, any additional data you entered in the CV and/or in the questionnaire completed via web.
In order to reach the abovementioned purposes of the data processing, pursuant to principle of “data minimization” in accordance with Section 5, no 1, items c), GDPR, there is no need for the Controller to process yours or, possibly, your family members special categories of personal data, as defined by Sections 9 and 10, GDPR, except the only confidential data relating to the belonging or not to sheltered group. Therefore, we invite you not to send to the Controller any additional personal data, if those data are not necessary to perform the selection process; if you send such data, the Controller will have the power to remove and/or obscure them, and, in any case, not to process those data for any purposes indicated above under par. 3.
We highlight that this potential personal data processing will also take place in compliance with Section 8, Workers’ Statute (Law no. 300/1970 and further adjustments and integrations), which sets forth the obligation of the employer, for the purpose of recruitment and during the employment relationship, to avoid to conduct any investigation about employees’ political, religious or trade-unions opinion, as well as about any circumstance not relevant for the evaluation of professional skills. In particular, the Controller will process the personal data included in the CV received by the candidate and in the individual report, with a short descriptive profile drafted by the Controller further to one or more interviews.
- Categories of Personal Data Recipients
The personal data you will submit to us for the purposes mentioned under par. 3, section (i) above, could be transferred to:
- (i) Employees and collaborators of the Controller and / or other subsidiaries or related entities, or entities belonging to the same companies’ group to which the Controller is party thereof (Aegis UK, Aegis Human Consulting Group S.r.l. and/or other business line of the Controller in their capacity of persons authorized to process personal data or data processor;
- (ii) Professionals and professional offices empowered by the Controller, law and consulting firm, providers of services of consultancy and/or training and/or assessment and, in general, third parties with which the Controller has executed a contractual relationship for the performance of the activities under par. 3 above and duly appointed as processors, pursuant to Section 28, GDPR;
- (iii) Public authorities for legal requirements and supervisory purposes, public administrations, public entities (national and UE).
- Processing operations
The processing of personal data of the Employee is realized through the operations indicated in section 4, n. 2, GDPR – whether or not by automated means – and in particular: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction of data.
Personal data will be processed and stored through traditional (form, questionnaire, etc.) or computer tools. Whichever the way, it will guaranteed data security, logical and physical, and overall data confidentiality and excluded any dissemination.
- Transfer of Personal Data to Third Countries
Your personal data will be processed, managed and stored on servers located within EU, and may be transferred, if necessary for the performance of the activities under par. 3 above, to some countries outside EU (UK, USA, UAE and India).
Should it be necessary to use third party’s activities which have their seats outside EU-countries, we inform you, here and now, that:
- the Controller has arranged to appoint these subjects as data processors pursuant to Section 28, Regulation executing a specific agreement which guarantees the transfer with appropriate safeguards and in compliance with the GDPR principles and
- The transfer of your personal data to these subjects is performed in strict compliance with provisions of Section 44 et seq of the Regulation.
This ensure you that will be adopted all necessary measures to guarantee you the complete personal data protection, because the transfer will be based on standard contractual clauses or other legal basis drafted to safeguard your rights and interests.
Your personal data will not subject to dissemination.
- Personal Data Storage Period
Your personal data will be stored for the entire duration of the mandate for which your data have beeen collected, as received by the client/s for the personnel recruitment and selection, at the expiring of such term (for whichever reason and/or cause) the data will be stored for 48 months from lasta performed activity on the data, it remaining understood that the Data Subject may at any time request the cancellation.
- Exercisable Rights
In compliance with the provisions under Chapter III, Section I, GDPR, you in your quality of data subject, may exercise the rights therein indicated, and in particular:
- (i) right of access;
- (ii) right to obtain the rectification or the erasure of personal data or the limitation to processing from Controller. In case of the request of erasure, the data subject has the right to obtain that Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data;
- (iii) right to object to the processing of personal data;
- (iv) right to data portability;
- (v) right to withdraw the consent at any time; the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
- (vi) right to lodge a complaint with the Supervisory Authority.
The data subject may exercise such rights by means of a request to be sent by email to the following email address: privacy@aegishcg.com
Last update: March 2024
FOR SUPPLIERS top
INFORMATION NOTICE PURSUANT TO SECTIONS 13 AND 14 GDPR
Dear Data Subject,
In accordance with the provision set forth by the European Regulation 2016/679 of the EU Parliament and of the Counsel dated April 27, 2016, concerning the protection of natural persons with regard to processing of personal data (hereinafter, the “GDPR” or the “Regulation”), Aegis S.r.l., having its legal offices in Milan, via Gaetano Negri 8, 20123, VAT number 03516140963, certified e-mail address: aegishr@legalmail.it, in person of its pro tempore legal representative as controller of your personal data (hereinafter, “Aegis” or the “Controller”), and, where applicable, Aegis UK – Recruiting & Consulting Ltd. having its legal offices in 20 Fitzroy Square W1T 6EJ- London, United Kingdom, VAT number 255 7676 63, certified e-mail address: aegishr@legalmail.it, in person of its pro tempore legal representative as processor of your personal data, provide you with the present information notice, pursuant to Sections 13 and 14, GDPR, in relation to the processing of your personal data communicated to us by you or by third parties (hereinafter, the “Information Notice”).
Your personal data will be processed to the following condition.
- Identity and Contact details of the Controller
Aegis S.r.l., in person of its pro tempore legal representative, having its legal offices in Milan, via Gaetano Negri 8, 20123, VAT number 03516140963, email address: privacy@aegishcg.com, certified e-mail address: aegishr@legalmail.it,
- Contact of the Data Protection Officer
Aegis S.r.l. has appointed as Data Protection Officer Mr. Antonio Virgallita, available at the following email address: privacy@aegishcg.com.
You will be free to contact the DPO for any matter related to the processing of your personal data and/or should you want to exercise your rights, as indicated and described below, sending out a written communication at the email address above.
- Purposes of the processing for which the personal data are intended and related legal basis
Your personal data will be processed without your consent (pursuant to section 6, items b, c, f, GDPR), for the following purposes:
- performance of pre-contractual and contractual obligations deriving from the execution of the contract between you and the Controller;
- compliance with provisions of a law or a regulation (national or EU), or perform an order of public or judicial Authority or controlling Authority to which the Controller is subject;
- exercise the rights of the Controller, with particular reference to judicial defensive rights.
For the purposes above mentioned, the collection of your personal data is necessary. Any lack of the data and/or possible express refusal to process such data, may cause the impossibility to the Controller to perform the contractual services or the possible violation of requests of the controlling Authority.
- Processed Categories of Personal Data
Pursuant to Section 4, no. 1, GDPR, the “personal data” which may be processed by the Controller, for the above purposes, concerning, by way of example, name and family name, tax code, copy of ID, VAT number, residence, domicile, work address, email or certified email address, phone and fax numbers and, eventually, bank, financial or insurance data, etc.
You will not to send your personal data to the Controller, except where personal data are strictly necessary to perform contractual and / or commercial activities. In all other cases, personal data should be transferred to the Controller anonymously or under pseudonyms, pursuant to principle of “data minimization” as stated by Section 5, par. 1, GDPR.
In the event that, during the performance of the contractual relationship, the supplier (legal entity, hereinafter, the “Supplier”), communicate to the Controller (not anonymously or not under pseudonyms) more data in addition to the ones of legal representative and/or contact persons, the same Supplier declares and guarantees to process all above personal data lawfully and in compliance with GDPR, furthermore, the Supplier declares that it has been provided to any Data Subject an adequate information notice, in which it is expressly mentioned the possibility to provide personal data to third entities and to have obtained the necessary consents for the purpose. Furthermore, the Supplier undertakes to indicate to its employees and/or collaborators that the present Information Notice is available on the website www.aegishcg.com, so that the Information Notice can be provided by the Controller to the data subject, pursuant to Sections 13 and 14, GDPR.
- Categories of Personal Data Recipients
For the purposes mentioned under par. 2 above, the personal data you will submit could be transferred to:
- employees and collaborators of the Controller and / or other subsidiaries or related entities, or entities belonging to the same companies’ group to which the Controller is party thereof, as well as companies where the Group detains shares (Aegis UK, Aegis Human Consulting Group S.r.l.) in their capacity of persons authorized to process personal data or data processor;
- any third party (such as provider for management and maintenance of website and/or management information systems, providers, credit institutions, professional companies, etc.), performing outsourced activities on behalf of the Controller, in their capacity of data processors;
- controlling Authority, public entities and institutions (whether national or foreign ones).
- Storage and Transfer of Personal Data to Third Countries
The Controller declares that the process and the storage of the personal data take place on servers located within UE, belonging to and/or in the possession of the Controller and/or third party companies, as duly appointed as processors. Where necessary, the transfer to non EU-countries will be performed, anyhow, in compliance with the provisions under par. V, GDPR (Section 46), adopting standard contractual clauses drafted pursuant to versions no. 2004/915/EC e n. 2010/87/EU, as adopted by the European Commission. The Controller may transfer servers in non-EU countries.
Your personal data will not subject to dissemination.
- Personal Data Storage Period
Personal Data provided for the purposes indicated under par. (b), above will be processed and stored for the entire duration of the executed contract. As of the termination of such contractual relationship, for whichever reason or cause, personal data will be stored as long as time-barring legal terms will be elapsed.
- Exercisable Rights
In compliance with the provisions under Chapter III, Section I, GDPR, you may exercise the rights therein indicated and in particular:
- (i) right of access;
- (ii) obtain the rectification or the erasure of personal data or the limitation to processing from Controller. In case of the request of erasure, the data subject has the right to obtain that Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data;
- (iii) right to object to the processing of personal data;
- (iv) right to data portability;
- (v) right to withdraw the consent at any time; the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
- (vi) right to lodge a complaint with the Supervisory Authority.
You may exercise such rights by means of a request to be sent by email to the following certified email address: privacy@aegishcg.com.
- Processing Operations
Your personal data are processed through the operations indicated in section 4, n.2), GDPR. Performed by not automated means – in particular: collection, recording, organization, structuring, update, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction of data.
Whichever the way, it will be guaranteed their security, logical and physical, and overall their confidentiality, implementing all the appropriate technical and organizational measures to ensure their security.
Last update: March 2024