Logo grande Logo compatto

Privacy policy En

ARTICLES 13 – 14 OF EU REGULATION 679/2016
INFORMATION NOTICE ON THE PROTECTION OF PERSONAL DATA OF CLIENTS – SUPPLIERS – THIRD PARTIES
(the so-called “data subjects”)

Update: JANUARY 2019 – INFORMATION NOTICE CFT MOD. 1 – 2019

This information notice may be amended following the introduction of new laws or due to new processing activities that MEET and WORK may carry out. You are therefore invited to periodically visit the website www.meetandwork.it under the section “Privacy Notice for Clients, Suppliers and Third Parties” to check for updates.

For any clarification, information or to exercise the rights listed in this information notice, please contact meet@meetandwork.com, or, for registered mail with return receipt, MEET and WORK at Piazza del Sole e della Pace n. 5, 35031 Abano Terme (PD), Italy, or call tel. +39 049 8601818. The data subject is kindly requested to indicate in the subject of the communication: “Privacy Request”.

INDEX

(click to jump to the relevant section)

1. DEFINITION OF PERSONAL DATA AND OF THEIR PROCESSING.

“Personal data” means any information which identifies or makes identifiable a natural person. This includes information that directly identifies the person (such as name, surname or tax code) as well as information that only indirectly identifies them (such as an online identifier or profiling cookies, where used on the website).

“Processing” of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, with or without the aid of automated processes, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. PRIVACY ROLES.

2.1 Data Controller.

The Data Controller (“Controller”) is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Controller is also responsible for security aspects. With regard to the processing of the data subject’s personal data, the Controller is:

MEET and WORK S.R.L.
with registered office at Piazza del Sole e della Pace n. 5, 35031 Abano Terme (PD), Italy, VAT No. 03828920384, in the person of its pro tempore legal representative. For any clarification or to exercise the data subject’s rights, the contact details given above may be used.

2.2 Data Processor.

The Data Processor is the natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. With regard to the processing of the data subject’s personal data, the Controller has appointed the following entities as external Data Processors:

  • The Accountant,
    who will process only the data strictly necessary to comply with tax and accounting obligations to which the Controller is subject by law;
  • The Software House,
    which supplies the Controller with the software for data management and may process the data subject’s data when providing support, maintenance or system updates;
  • The IT Company,
    which manages the Controller’s IT systems and may process the data when providing support, maintenance or system updates;
  • The Web Agency,
    which manages the website and may process data relating to the data subject when providing maintenance, support or system updates.

For any information regarding their corporate details, the type of data they process and the methods of processing, please contact the addresses indicated above. The appointment of these entities and the scope of their responsibilities are limited to the specific processing activities described. Over time, the Controller may update the list of Data Processors (by appointing new Processors or revoking mandates already granted); the data subject may therefore request further information at any time using the same contact details.

2.3 Persons authorised to process data.

Persons authorised to process data are the natural persons who process the data under the Controller’s authority and on the basis of its instructions. MEET and WORK has formally appointed as authorised persons those who carry out work activities within the company. Each of them has been properly instructed and trained to handle the data provided by the data subject with care.

For further information regarding such persons, please contact the addresses indicated above.

3. PURPOSES OF PROCESSING AND OTHER INFORMATION.

3.1 General rules on the processing of personal data.

Pursuant to EU Regulation 679/2016 (“GDPR”) on the protection of natural persons, the processing of personal data must be based on the principles of fairness, lawfulness, transparency, protection of the data subject’s privacy and safeguard of his/her rights. The Controller undertakes to comply with these principles and, for this purpose, informs the data subject from the outset that – except for processing for which the law requires consent – by providing personal data the data subject accepts and agrees to be bound by the terms and conditions of this information notice.

Except as expressly provided by the GDPR with regard to natural persons, this information notice also governs processing operations relating to legal persons where specific national and/or European provisions grant protections to such entities as well (for example, processing for the purpose of sending advertising communications through automated systems).

With regard to the direct offer of information society services, the GDPR provides enhanced protection for minors under the age set by national law (in Italy, generally 14 or 16): in such cases, processing of their data may only be carried out by the Controller if the consent to processing has previously been given or authorised by the holder of parental responsibility.

MEET and WORK processes only the data strictly necessary to pursue the various purposes of processing. The data provided will be used solely and exclusively to achieve the purposes described in the following sections (by way of example, data provided for contractual purposes will not be used for different purposes, unless there is a specific consent or a legitimate interest allowing such further use).

The Controller does not carry out automated processing – such as profiling – on which decisions are based that produce legal effects concerning the data subject or similarly significantly affect him or her.

3.2 Processing of the personal data of PARTICIPANTS IN EVENTS.

Data that may be processed.

Name, surname, date and place of birth, residence, telephone, fax, email, tax data, credit card data, tax code, images, status as public employee or not, data concerning the public body where the participant works. Processing of “special categories of data” and “data relating to criminal convictions and offences” within the meaning of Articles 9 and 10 of EU Regulation 679/2016 is not envisaged.

Legal basis and purposes of processing. Processing of the above data is lawful as it is carried out:

1.a) for the performance of pre-contractual and contractual measures to which the data subject is party. The Controller processes the data to verify that all requirements for registration (to a course, congress, event) are met, to enable such registration, to contact the participant for any clarification strictly concerning the registration, and for any other matter related to the contract.

a-bis) for the performance of contractual measures using data collected from the healthcare institution. In some cases, the above data may be provided to the Controller by the healthcare institution where the data subject works. This occurs because only the healthcare institution is entitled to select, among the possible participants in the congress/course, those who may benefit from certain advantages made available by the sponsor. Once the data have been received, the Controller will contact the participants thus identified in order to collect any further information that may be useful for the purposes indicated under letters a), b), c) and d) of this section.

5.b) for compliance with legal obligations. In implementation of the “Regulation on objective criteria pursuant to the State-Regions Agreement of 5.11.2009 and for accreditation” approved by the National Commission for Continuing Education on 13.01.2010, the State–Regions Agreement of 2.02.2017, Legislative Decree 165/2001 and any other national or European legislation legitimising such processing, the Controller processes data in order to communicate them to third parties, for reporting and accreditation with the competent Ministry, and for tax and accounting purposes, for the exercise of its rights and for other related purposes.

6.c) on the basis of the data subject’s prior consent. With the data subject’s consent, the Controller processes the data for sending (by email/fax/SMS/other automated systems/calls without operator involvement/ordinary mail/calls with operator) news and information relating to its sector of activity (for example, communications on new congresses, events, courses, etc.). Moreover, with prior consent (and only if required under copyright law), the Controller processes the data subject’s images for the creation of e-learning (FAD) courses, for advertising purposes and similar. Data provided for these purposes will be stored until consent is withdrawn; the data subject may withdraw consent at any time (see Art. 7 GDPR on the right to withdraw consent). Withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

7.d) on the basis of the Controller’s legitimate interest. Regardless of consent, the Controller may lawfully send – by email/fax/SMS/other automated systems/calls without operator involvement/ordinary mail/calls with operator – communications regarding new events, congresses and training courses to those who have already entered into a relationship with the Controller or who have expressed an interest in its activities (for example, it is lawful to send such communications, even without consent, to a person who has already used the Controller’s services and is receiving information on similar services). According to the Controller’s assessment, this processing does not prejudice the rights and freedoms of the data subject, who has already shown an interest in the Controller’s activities and may reasonably expect to receive information, updates and news about new services.

Obligation to provide data.
The data subject is not obliged to provide the above data; however, failure to provide them will prevent participation in the course, event or congress, as well as the obtainment of educational credits from the competent authority.

Disclosure of data to third parties.
To comply with legal and contractual obligations, some of the above data may be communicated to:

  • 1) banks or payment institutions for collection of registration fees;
  • 2) insurance companies in the event of accidents or other liabilities;
  • 3) the “Comitato Gestione Anagrafica Professioni Sanitarie” (Register Management Committee for Healthcare Professions), the public body responsible for overseeing the event;
  • 4) the National Agency for Regional Healthcare Services (Agenas), the body responsible for assigning credits;
  • 5) other public bodies where required by law;
  • 6) the Controller’s lawyers to protect or defend rights in court, law enforcement authorities in the event of unlawful acts or the Judicial Authority.

Dissemination and transfer of data to non-EU Countries.
Unless the data subject has given consent for the use of his/her images, data will not be disseminated nor transferred to international organisations. With regard to possible transfers of data to non-EU Countries, the Controller uses its own servers located in Italy and relies on companies whose servers are located within the European Union for both ordinary email and certified email (PEC). The company providing hosting for the website www.meetandwork.it also keeps its servers in Italy. This means that the data subject’s data will not be transferred to non-EU Countries. More generally, the Controller undertakes not to transfer data to non-EU Countries. Should a transfer take place, this will only occur in compliance with the safeguards provided by law (such as an adequacy decision by the European Commission or appropriate safeguards including Binding Corporate Rules). In the absence of such conditions, a transfer may take place only with the data subject’s consent, or within a contract between the data subject and the Controller, or a contract between the Controller and a third party in the interest of the data subject.

Profiling and methods of processing.
The Controller does not carry out profiling. Processing is carried out using electronic tools (PCs, management systems, email, certified email, telephone, fax, etc.) and paper tools (printing of documents, postal services, etc.). The Controller protects the data using appropriate security measures.

Data retention period.
For processing under point a), data will be stored for a maximum of 10 years from the end of the event, congress or training course in order to comply with legal, accounting and tax obligations and to assert or defend rights in legal proceedings. For processing under point c), data will be stored until consent is withdrawn. For processing under point d), data will be stored until the data subject objects to such processing; this may be done at any time.

3.3 Processing of the personal data of PERSONS INVOLVED IN THE EVENT PROGRAMME.

(for example, speakers, lecturers, scientific coordinators, tutors, etc.)

Categories of data.
Name, surname, date and place of birth, residence, telephone, email, profession, employer’s name, education, qualifications, awards, bank account details, tax code, images, teaching materials and slides used. Processing of “special categories of data” and “data relating to criminal convictions and offences” within the meaning of Articles 9 – 10 of EU Regulation 679/2016 is not envisaged.

Legal basis and purposes of processing. Processing of the above data is lawful as it is carried out:

1.a) for the performance of pre-contractual and contractual measures to which the data subject is party. The Controller processes the data to verify that the legal requirements to lawfully appoint the data subject are met, to confer the appointment, to make any payments due, to contact the data subject for contractual purposes and for any matter relating to the contract.

2.b) for compliance with legal obligations. In implementation of the “Regulation on objective criteria pursuant to the State-Regions Agreement of 5.11.2009 and for accreditation” approved by the National Commission for Continuing Education on 13.01.2010, the State–Regions Agreement of 2.02.2017, Legislative Decree 165/2001 and any other national or European legislation legitimising such processing, the Controller processes data in order to communicate them to third parties, for reporting and accreditation with the competent Ministry and for tax and accounting purposes, for the exercise of its rights and for other related purposes.

3.c) on the basis of the data subject’s prior consent. With consent, the Controller processes data for sending (by email/fax/SMS/other automated systems/calls without operator involvement/ordinary mail/calls with operator) news and information relating to its sector of activity (for example, communications on new congresses, events, courses, etc.). Moreover, with prior consent (and only if required under copyright law), the Controller processes the data subject’s images for the creation of e-learning (FAD) courses, for advertising purposes and similar. Data provided for these purposes will be stored until consent is withdrawn; the data subject may withdraw consent at any time (see Art. 7 GDPR). Withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

4.d) on the basis of the Controller’s legitimate interest. Regardless of consent, the Controller may lawfully send – by email/fax/SMS/other automated systems/calls without operator involvement/ordinary mail/calls with operator – communications regarding new events, congresses and training courses to those who have already entered into a relationship with the Controller or who have expressed an interest in its activities (for example, it is lawful to send such communications, even without consent, to a person who has already used the Controller’s services and is receiving information on similar services). According to the Controller’s assessment, this processing does not prejudice the rights and freedoms of the data subject, who has already shown an interest in the Controller’s activities and may reasonably expect to receive such information.

Obligation to provide data.
The data subject is not obliged to provide the above data; however, failure to do so will prevent the Controller from assessing the professional profile for the purpose of entering into a contract, conferring the appointment and sending communications of interest (for example relating to courses, congresses, etc.).

Disclosure of data to third parties.
To comply with legal and contractual obligations, some of the above data may be communicated to:

  • 1) banks or payment institutions for payment of the agreed fee, where applicable;
  • 2) insurance companies in the event of accidents or other liabilities;
  • 3) the employer for the authorisation of the appointment pursuant to Art. 53 Legislative Decree 165/2001;
  • 4) the “Comitato Gestione Anagrafica Professioni Sanitarie”, the public body responsible for overseeing the event;
  • 5) the National Agency for Regional Healthcare Services (Agenas), the body responsible for assigning credits, where applicable;
  • 6) other public bodies identified by law;
  • 7) the Controller’s lawyers to protect or defend rights in court, law enforcement authorities in the event of unlawful acts or the Judicial Authority.

Dissemination and transfer of data to non-EU Countries.
Unless the data subject has given consent for the use of his/her images, data will not be disseminated nor transferred to international organisations. With regard to possible transfers of data to non-EU Countries, the Controller uses its own servers located in Italy and relies on companies whose servers are located within the European Union for both ordinary email and certified email (PEC). This means that the data subject’s data will not be transferred to non-EU Countries. More generally, the Controller undertakes not to transfer data to non-EU Countries. Should a transfer take place, this will only occur in compliance with the safeguards provided by law (such as an adequacy decision by the European Commission or appropriate safeguards including Binding Corporate Rules). In the absence of such conditions, a transfer may take place only with the data subject’s consent, or within a contract between the data subject and the Controller, or a contract between the Controller and a third party in the interest of the data subject.

Profiling and methods of processing.
The Controller does not carry out profiling. Processing is carried out using electronic tools (PCs, management systems, email, certified email, telephone, fax, etc.) and paper tools (printing of documents, postal services, etc.). The Controller protects the data using appropriate security measures.

Data retention period.
For processing under point a), data will be stored for a maximum of 10 years from the end of the contractual relationship, in order to comply with legal, accounting and tax obligations and to assert or defend rights in legal proceedings. For processing under point c), data will be stored until consent is withdrawn. For processing under point d), data will be stored until the data subject objects to such processing; this may be done at any time.

3.4 Processing of the personal data of CLIENTS.

(“Client” means anyone other than “Participants” and “Persons involved in the event programme”, such as sponsors, promoting bodies, private companies, etc.).

Data that may be processed.
Name and surname, residence, tax code, VAT number, company name, registered office or operating offices, email, certified email (PEC), telephone, bank details, data relating to the client’s employees where the client is a legal person.

Legal basis and purposes of processing.
Processing is lawful as it is carried out:

1.a) for the performance of pre-contractual measures adopted at the request of the data subject. The Controller processes the client’s data to prepare quotations, verify the legal requirements for entering into a contract, contact the client by telephone or email, communicate physically with the client, prepare all necessary documentation and for related purposes.

2.b) for the performance of the contract to which the data subject is party. The Controller uses the data to execute the contract, to contact the client by email, telephone or certified email, and to comply with all contractual obligations.

3.c) for compliance with legal obligations. The Controller uses the data for tax and accounting documentation and to comply with obligations imposed by the “Regulation on objective criteria pursuant to the State-Regions Agreement of 5.11.2009 and for accreditation” approved by the National Commission for Continuing Education on 13.01.2010, the State–Regions Agreement of 2.02.2017, Legislative Decree 165/2001, Legislative Decree 219/2006 and any other applicable national or European law.

4.d) on the basis of the client’s consent. The Controller will obtain consent where processing is carried out for sending – by email/fax/SMS/other automated systems/calls without operator involvement/ordinary mail/calls with operator – communications, including advertising, or invitations to act as sponsor for events under organisation, as well as communications containing news and/or updates on the Controller’s sector of activity (so-called Newsletter). Data provided for these purposes will be stored until consent is withdrawn. Withdrawal may be exercised at any time (see Art. 7 GDPR). Withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

5.e) on the basis of the Controller’s legitimate interest. Regardless of consent, the Controller may lawfully send – by email/fax/SMS/other automated systems/calls without operator involvement/ordinary mail/calls with operator – advertising communications relating to the services offered (marketing) and communications containing news and/or updates regarding its sector of activity (Newsletter) to those who have already entered into a relationship with the Controller or who have expressed an interest in its activities (for example, a person who has already used the Controller’s services and is receiving information on similar services). According to the Controller’s assessment, this processing does not prejudice the rights and freedoms of the client, who has already shown an interest in the Controller’s activities and may reasonably expect to receive such information.

Processing activities carried out for courtesy purposes towards certain clients are also based on the Controller’s legitimate interest and therefore do not require consent. These activities may include sending (by email, fax, telephone or ordinary mail) greeting messages on festive occasions (such as Christmas, Easter, etc.) or invitations to special events or celebrations. Given the relationship between the parties, the Controller considers that the client has a legitimate expectation in this regard and that such processing does not affect the client’s rights and freedoms.

Data processed for these purposes will be stored until the client objects to the processing, which may be done at any time – even immediately – (see Art. 21 GDPR).

Obligation to provide data.
The client is not obliged to provide personal data to the Controller. However, failure to do so will prevent MEET and WORK from submitting quotations, carrying out the activities covered by the contract and sending communications containing information on the Controller’s activities.

Disclosure of data to third parties.
To comply with contractual or legal obligations, some of the above data may be communicated to:

  • 1) banks or payment institutions to meet payment obligations arising from the contract;
  • 2) insurance companies in the event of accidents or claims, to fulfil reporting obligations under the law;
  • 3) public bodies for reporting on events and, where applicable, to other public bodies for different purposes;
  • 4) lawyers, law enforcement authorities or the Judicial Authority in the event of unlawful acts, contractual breaches or other legally relevant facts attributable to the client.

Transfer of data to non-EU Countries.
The company uses its own servers located in Italy; therefore, the client’s data will not be transferred to non-EU Countries. For email and certified email (PEC) services, the Controller relies on providers whose servers are located within the European Union and which have ensured adequate protection levels in line with European standards. In any case, if, in order to provide services to the client, MEET and WORK were to rely on companies located in non-EU Countries (or whose servers are located in such Countries), this should not be a cause for concern: a transfer of data would only take place in compliance with the safeguards provided by law (such as an adequacy decision by the European Commission or appropriate safeguards including Binding Corporate Rules). In the absence of such conditions, a transfer may take place only with the client’s consent, or within a contract between the client and the Controller, or a contract between the Controller and a third party in the interest of the client.

For any doubts or questions about transfers of data to non-EU Countries, the contact details listed above may be used.

Methods of processing.
All processing carried out by the Controller is performed using electronic tools (for example email, certified email, personal computers, management systems, etc.) and paper tools (for example printing of documents, ordinary mail, etc.).

Data retention period.
For processing under points a) and b): – if the client shows interest in the quotation but does not immediately enter into a contract, the data in the offer will be retained for 12 months and then erased; – if the quotation is clearly rejected, the client’s data will be erased immediately; – if a contract is entered into, the data will be retained for 10 years from the end of the contractual relationship for legal, tax and accounting purposes.

For processing under point d), data will be stored until consent is withdrawn, which may be done at any time (see Art. 7 GDPR). For processing under point e), data will be stored until the client objects to the processing (see Art. 21 GDPR).

Closing clause.
Upon reading this information notice, the Client declares that he/she will provide it to his/her employees whose data are communicated to the Controller in the context of the pre-contractual or contractual relationship described above.

3.5 Processing of the personal data of SUPPLIERS OF GOODS AND SERVICES.

(for example the accountant, software house, electricity provider and other similar suppliers)

Data that may be processed.
Name, surname, VAT number, registered office or operating offices, bank details, email, telephone, certified email (PEC), and where the supplier is a legal person, name and surname of its employees and other similar data.

Legal basis and purposes of processing.
Processing is lawful as it is carried out:

1.a) for the performance of pre-contractual measures adopted at the request of the supplier. The Controller uses the supplier’s data to assess quotations, contact the supplier by telephone/email/certified email and for related purposes.

2.b) for the performance of the contract to which the supplier is party. The Controller uses the data to make payments, to contact the supplier by email/telephone/certified email and to comply with all contractual obligations.

3.c) for compliance with legal obligations. The Controller uses the data for tax and accounting documentation and to comply with any legislative obligations arising from the contract.

4.d) on the basis of the supplier’s consent. The Controller will obtain consent where processing is carried out for sending – by email, fax, SMS, other automated systems/calls without operator involvement/ordinary mail/calls with operator – advertising communications relating to the Controller’s services (marketing) or communications containing news and/or updates regarding its sector of activity (Newsletter). Data provided for these purposes will be stored until consent is withdrawn. Withdrawal may be exercised at any time (see Art. 7 GDPR). Withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

5.e) on the basis of the Controller’s legitimate interest. Regardless of consent, in the case of suppliers which, over time, have provided highly professional services (and have therefore established a stable collaboration with the Controller), the Controller may send them (usually by email or ordinary mail) greeting messages (for example on Christmas or Easter) or invitations to special events (for example to celebrate particular business achievements by the Controller), and similar.

Data processed for these purposes will be stored until the supplier objects to the processing, which may be done at any time – even immediately – (see Art. 21 GDPR).

Obligation to provide data.
The supplier is not obliged to provide the above data. However, failure to do so will prevent the Controller from assessing the quotation, entering into the contract for the supply of goods or services or sending the above communications.

Disclosure of data to third parties.
To comply with contractual or legal obligations, some of the above data may be communicated to:

  • 1) banks or payment institutions to meet payment obligations arising from the contract;
  • 2) insurance companies in the event of accidents or claims, to fulfil reporting obligations under the law;
  • 3) public bodies, only where expressly provided for by law;
  • 4) lawyers, law enforcement authorities or the Judicial Authority in the event of unlawful acts, contractual breaches or other legally relevant facts attributable to the supplier.

Transfer of data to non-EU Countries.
The company uses its own servers located in Italy; therefore, the supplier’s data will not be transferred to non-EU Countries. For email and certified email (PEC) services, the Controller relies on providers whose servers are located within the European Union and which have ensured adequate protection levels in line with European standards. In any case, if, in order to provide services to the supplier, MEET and WORK were to rely on companies located in non-EU Countries (or whose servers are located in such Countries), this should not be a cause for concern: a transfer of data would only take place in compliance with the safeguards provided by law (such as an adequacy decision by the European Commission or appropriate safeguards including Binding Corporate Rules). In the absence of such conditions, a transfer may take place only with the supplier’s consent, or within a contract between the supplier and the Controller, or a contract between the Controller and a third party in the interest of the supplier.

For any doubts or questions about transfers of data to non-EU Countries, the contact details listed above may be used.

Methods of processing.
All processing carried out by the Controller is performed using electronic tools (for example email, certified email, personal computers, management systems, etc.) and paper tools (for example printing of documents, ordinary mail, etc.).

Data retention period.
For processing under points a) and b): – if the Controller is interested in the quotation but does not immediately need to enter into a contract, the supplier’s data will be retained for a maximum period of 12 months; – if the quotation is clearly not of interest, the data will be erased immediately; – if a contract is entered into, the supplier’s data will be retained for 10 years from the end of the contractual relationship for legal, tax and accounting purposes.

For processing under point d), data will be stored until consent is withdrawn, which may be done at any time (see Art. 7 GDPR). For processing under point e), data will be stored until the supplier objects to the processing (see Art. 21 GDPR).

Closing clause.
Upon reading this information notice, the Supplier declares that he/she will provide it to his/her employees whose data are communicated to the Controller in the context of the pre-contractual or contractual relationship described above.

3.6 Processing carried out for the assessment of the professional profile of CANDIDATES.

Categories of data that may be processed.
Name, surname, email, telephone, education and training, tax code and other data, including data relating to minors if the candidate is under 18. Candidates are advised not to include “special categories of data” or “data relating to criminal convictions and offences” within the meaning of Articles 9–10 GDPR (for example health data, data revealing political opinions, criminal records, etc.) unless strictly necessary.

If the candidate provides a link to his/her “public social network profile” (e.g. Facebook, Instagram, LinkedIn), the data contained therein will be processed by the Controller only where necessary and relevant to the performance of the role for which the application is made (for example, a candidate applying as a social media manager who uses a public profile to showcase his/her skills). Social media profiles used by the candidate exclusively for private purposes will not be taken into account; the candidate is therefore invited not to include such information in the CV.

Legal basis and purposes of processing.
Processing is lawful as it is carried out for the performance of pre-contractual measures adopted at the request of the candidate. In fact, sending a CV or other data relating to the candidate’s professional sphere – and the subsequent assessment of the profile by the Controller – aims to determine whether or not an employment relationship should be established. The consent clause at the end of the CV must be included only if the candidate decides to provide the Controller with “special categories of data” or “data relating to criminal convictions and offences” (“I hereby give my explicit consent to the processing of the special categories of data and data relating to criminal convictions and offences contained in this CV”, together with date and signature).

Obligation to provide data.
The candidate is not obliged to provide the above data; however, failure to provide all or part of them will prevent the Controller from assessing the application.

Disclosure of data to third parties.
If the CV is sent spontaneously by the candidate, his/her personal data will not be disclosed to third parties.

If, however, the CV is sent in response to a job advertisement published by the Controller on a third-party website or with the help of recruitment agencies, those third parties may process the candidate’s data. Where applicable, such third parties will be appointed and instructed to process candidates’ data with due care.

Transfer of data to non-EU Countries.
The company uses its own servers located in Italy; therefore, candidates’ data will not be transferred to non-EU Countries. For email and certified email (PEC) services, the Controller relies on providers whose servers are located within the European Union and which have ensured adequate protection levels in line with European standards. In any case, if, in order to provide services to the candidate, MEET and WORK were to rely on companies located in non-EU Countries (or whose servers are located in such Countries), this should not be a cause for concern: a transfer of data would only take place in compliance with the safeguards provided by law (such as an adequacy decision by the European Commission or appropriate safeguards including Binding Corporate Rules). In the absence of such conditions, a transfer may take place only with the candidate’s consent, or within a contract between the candidate and the Controller, or a contract between the Controller and a third party in the interest of the candidate.

For any doubts or questions about transfers of data to non-EU Countries, the contact details listed above may be used.

Methods of processing.
Processing is carried out using electronic tools (email, personal computers, management systems, etc.) and paper tools (printing of CVs).

Data retention period.
The retention period depends on whether or not an employment relationship is established. – If the Controller is not interested in the profile, the candidate’s data will be erased immediately; – if the profile is of potential interest but no position is available at the time of application, MEET and WORK will retain the data for a maximum of 15 months; – if an employment contract is entered into, the Controller will retain the employee’s data as specified in the “Employee Privacy Information Notice” which will be provided for that purpose.

3.7 Processing of the personal data of THIRD PARTIES.

(this includes all persons who do not fall within any of the categories listed above)

Data that may be processed.
Name, surname, company name, VAT number, registered office or operating offices, email, telephone, certified email (PEC) and similar data.

Legal basis and purposes of processing.
Processing is lawful as it is carried out:

1.a) on the basis of the data subject’s consent. With consent, the Controller processes the data of third parties for sending – by email, fax, SMS, other automated systems/calls without operator involvement/ordinary mail – advertising communications relating to the Controller’s services (marketing) and communications containing news and/or updates regarding its sector of activity, such as information on training courses/events/congresses being organised or already held. Data provided for these purposes will be stored until consent is withdrawn; the data subject may withdraw consent at any time (see Art. 7 GDPR). Withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

2.b) on the basis of consent given by the data subject to another Controller. The present Controller may send the above communications to data subjects who have not given their consent directly to MEET and WORK but to another controller. At the time of collection, that other controller will have informed the data subject that consent also extended to the communication of his/her data to our company (or to a company operating in the event-organisation sector), so that MEET and WORK may lawfully send the data subject – by email, fax, SMS, other automated systems/calls without operator involvement/ordinary mail/calls with operator – advertising communications relating to its services (marketing) and communications containing news and/or updates regarding its sector of activity (Newsletter). Data provided for these purposes will be stored until consent is withdrawn; the data subject may withdraw consent at any time (see Art. 7 GDPR). Withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

Obligation to provide data.
Third parties are not obliged to provide the above data. However, failure to do so will prevent the Controller from sending communications relating to training courses/events/congresses being organised or already held.

Disclosure of data to third parties.
With regard to this processing activity, the Controller does not disclose data to other third parties.

Transfer of data to non-EU Countries.
The company uses its own servers located in Italy; therefore, third parties’ data will not be transferred to non-EU Countries. For email and certified email (PEC) services, the Controller relies on providers whose servers are located within the European Union and which have ensured adequate protection levels in line with European standards. In any case, if, in order to provide services to the data subject, MEET and WORK were to rely on companies located in non-EU Countries (or whose servers are located in such Countries), this should not be a cause for concern: a transfer of data would only take place in compliance with the safeguards provided by law (such as an adequacy decision by the European Commission or appropriate safeguards including Binding Corporate Rules). In the absence of such conditions, a transfer may take place only with the data subject’s consent, or within a contract between the data subject and the Controller, or a contract between the Controller and a third party in the interest of the data subject.

For any doubts or questions about transfers of data to non-EU Countries, the contact details listed above may be used.

Methods of processing.
Processing is carried out mainly by electronic means (sending emails, including group emails, use of personal computers, etc.).

Data retention period.
Data collected for sending communications will be stored until consent is withdrawn. The data subject may do so at any time by contacting the addresses given above (see Art. 7 GDPR on the right to withdraw consent). Withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal.

3.8 Processing carried out via the website with regard to USERS.

(Contact forms – Newsletter – Cookies)

MEET and WORK operates the website www.meetandwork.it, through which the Controller collects data from users. For more detailed information on the processing carried out through this website, please refer to the “Website Privacy Notice” link in the website footer.

4. RIGHTS OF CLIENTS, SUPPLIERS AND THIRD PARTIES.

The data subject – i.e. the person providing his/her personal data to the Controller – has the following rights:

  • • the right to request access to personal data from the Controller, i.e. to know which data are processed;
  • • the right to rectification, i.e. to have personal data corrected if they are inaccurate or out-of-date;
  • • the right to restriction of processing, i.e. to limit the way in which the Controller uses the data;
  • • the right to object, on legitimate grounds, to processing of personal data;
  • • the right to data portability, i.e. the right to receive all personal data processed by the Controller in a structured, commonly used and machine-readable format;
  • • the right to request erasure of personal data from the Controller (“right to be forgotten”);
  • • the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • • the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) in the event of a breach of data protection law.

For a more detailed description of these rights, please refer to Articles 15–16–17–18–20–21 of EU Regulation 679/2016. Requests may be addressed to the Controller, without formalities, using the contact details indicated at the beginning of this notice.

5. SECURITY MEASURES.

The Controller undertakes to protect your data by adopting all necessary physical and IT security measures. However, no security system can guarantee absolute protection. Therefore, except where the Controller is at fault, MEET and WORK cannot be held liable for acts committed by third parties who unlawfully gain access to systems and premises without proper authorisation. For any information on the security measures adopted, please contact the addresses indicated above.