This policy is made available to inform all those who, spontaneously or following a search for personnel carried out by Whatwapp Entertainment S.r.l., also through third parties and/or telematic channels for searching and offering job positions, send their curriculum vitae to Whatwapp Entertainment S.r.l. (hereinafter individually the “Candidate” and jointly the “Candidates”), granting the same the right to process the data entered therein, or granting the right to extrapolate personal data from any contact channels from which it is possible to find information relating to the professional career and expertise of the Candidate (by way of example but not limited to LinkedIn or the like), according to art. 13 Legislative Decree no. of 30 June 2003, no. 196 and subsequent amendments (“Code regarding the protection of personal data”) and of the art. 13 of the European Regulation on the protection of personal data n. 679/16, acronym GDPR (“General Data Protection Regulation”).
1. Data Controller
The data controller is Whatwapp Entertainment S.r.l. (Tax code and VAT number: 08200040965), from now on the “Data Controller”, having its registered office in 20123 – Milan, at Via Venti Settembre n. 27.
2. Data Controller’s contacts
The Data Controller may be contacted for any reason and the correct exercise of the data subject’s rights by sending a message to the email address firstname.lastname@example.org, or by sending a letter to the registered office of the Data Controller, which is located in 20123 – Milan, at Via Venti Settembre n. 27, for the attention of Whatwapp Entertainment S.r.l (Tax code and VAT number: 08200040965).
According to the European Data Protection Regulation no. 2016/679 (GDPR), to facilitate the reading and understanding of this information, the definition of the following terms is reported:
- PersonalData:any information concerning an identified or identifiable natural person (so- called “Data Subject”, but from now on also individually the “Candidate” and jointly the “Candidates”); the natural person is considered identifiable who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location Data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social;
- DataProcessing: any operation or set of operations carried out with or without the aid of automated processes and applied to Personal Data or sets of Personal Data, such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction;
- Limitation to Data Processing: the marking of Personal Data stored to limit their processing in the future;
- Data Controller: the natural or legal person, public authority, service or other which, individually or together, determines the purposes and means of the processing of Personal Data; when the purposes and means of such processing are determined by the law of the Union or of the Member States, the Data controller or the specific criteria applicable to its designation may be established by the law of the European Union or of the Member States;
- Data Processor: the natural or legal person, public authority, service or other Authority that processes Personal Data on behalf of the Data Controller;
- The Recipient of the Personal Data: the natural or legal person, public authority, service or other Authority that receives communication of Personal Data, whether it is a third party or not. However, public authorities that may receive disclosure of Personal Data in the context of a specific investigation under the law of the Union or the Member States are not considered recipients; the processing of such Data by said public authorities comply with the applicable Data protection rules according to the purposes of the processing;
- Third Party: the natural or legal person, public authority, service or other Authority other than the Data Subject, the Data Controller and the persons authorized to process Personal Data under the direct authority of the Data Controller or responsible;
- Consent of the Data Subject: any manifestation of the free, specific, informed and unequivocal will of the interested party, with which the same expresses his/her consent, through an unequivocal positive declaration or action, that the Personal Data concerning him/ her are being processed;
- Data Breach: the security breach that accidentally or unlawfully involves the destruction, loss, modification, unauthorized disclosure or access to Personal Data transmitted, stored or otherwise processed;
- Data Protection Authority: independent public authority responsible for monitoring the application of EU Regulation no. 679/2016 (GDPR), to protect the fundamental rights and freedoms of individuals concerning processing and to facilitate the free circulation of Personal Data within the Union;
- EU Regulation no. 679/2016 (GDPR): Regulation that establishes rules relating to the protection of individuals concerning the processing of Personal Data, as well as rules relating to the free circulation of such Data, protects the fundamental rights and freedoms of individuals, in particular the right to the protection of Personal Data. The free circulation of Personal Data in the Union cannot be limited or prohibited for reasons relating to the protection of individuals concerning the processing of Personal Data.
4. Legal basis and purposes of the processing
Personal data are collected following current privacy legislation and are mainly processed with the aid of computer tools and in full compliance with the provisions of EU Regulation no. 679/2016 (GDPR), by Legislative Decree 196/2003 and subsequent amendments, and by provisions of the Italian and European Personal Data Protection Authority.
The personal data, which will be listed below in this policy, are processed by the Data Controller by the express consent provided by the Candidate, by sending their curriculum vitae or by sharing their data, in any way carried out. The retention of personal data for the time referred to in point 6. also takes place by the legitimate interest of Whatwapp Entertainment S.r.l. consisting in the need to fulfil the phases of the recruitment activity, as well as the subsequent phases of data retention for the purposes described in the continuation of this information, and mainly consisting in the possibility of re- contacting the Candidates with whom, for whatever reason, Whatwapp Entertainment S.r.l. did not establish an employment relationship.
Candidates’ data will be processed by the Data Controller for the following purposes:
- to carry out personnel research and selection activities such as, by way of example but not limited to, the management of applications, the evaluation of curricula concerning the job offer, as well as the management of the various candidate profiles, concerning current job positions and future present in Whatwapp Entertainment S.r.l.;
- to allow the personnel specifically appointed by Whatwapp Entertainment S.r.l. to contact Candidates to request and collect further information;
- to, possibly, manage the activities necessary for the establishment of the employment relationship between the Candidates and Whatwapp Entertainment S.r.l.;
- keep personal data concerning the individual Candidate for the time necessary for the correct fulfilment of the purposes indicated herein and in compliance with the terms of the law, also concerning the specific legal bases listed in this disclosure;
- limited to certain categories of personal data (by way of example and not limited to, age, nationality, sex, etc.) conduct statistical analyses regarding the use of the various channels used to propose applications, or further statistical analyses relating to the activity of recruitment;
- request and store feedback relating to the recruitment activity, to be received also by filling in anonymous questionnaires provided at the end of the selection process to the Candidate.
5. Categories of personal data processed
For the purposes referred to in the previous point, the Data Controller will process the following categories of data:
- name and surname;
- tax code;
- residence and/or domicile;
- place of work;
- e-mail and/or certified email address;
- telephone number and/or fax;
- employer, role etc.;
- previous work experience;
- any additional information provided during the recruitment process;
- a hypertext link to the LinkedIn profile and information contained therein;
Sensitive data may also be processed in cases where it is specifically permitted by law or the Candidate’s explicit desire. As an example only and without limitation:
- the membership of a trade union organization;
6. Data retention and safety measures
The personal data will be kept for the entire time necessary to achieve the purposes referred to in point 4. (“conservation limitation principle” according to Article 5 of EU Regulation no. 2016/679), as further detailed below.
As far as the personal data of all Candidates are concerned, these will be collected and processed for the time necessary to manage the recruitment activity, which may last for an overall time not exceeding 12 (twelve) months starting from the sharing of data with Whatwapp Entertainment S.r.l.; at the end of the recruitment activity, the data of the Candidates, including those not selected and those deemed suitable for job positions other than those for which they applied, will be kept for a time of a further 2 (two) years starting from the closure of the recruitment activity. The deadline will be duly reported by sending an informative e-mail unless the Candidate requests the cancellation of their data under the provisions of Article 17 of EU Regulation no. 2016/679 previously.
Regarding the personal information of Candidates deemed qualified for the positions for which they have submitted their curriculum, the whole information is processed in accordance with the terms of
the specifically designated confidential information for employees of Whatwapp Entertainment S.r.l., to which full reference is made, and is retained for a period of ten (10) years following the date the employment relationship ended.
To fulfil any obligations established by law, as well as to ensure adequate judicial protection for the Data Controller, or on the recommendation of the competent Authorities, personal data may be kept for a longer time.
The Candidate may get a questionnaire to be completed anonymously at the conclusion of the selection activity, in whatever form it ends, with questions pertaining to the personnel selection process. In this case, neither the questionnaire’s construction nor any of the individual responses will be able to identify or otherwise make the Candidate who gave them identifiable. For the Company to improve the recruiting process, the data acquired on this occasion will be processed anonymously and aggregated. The data will be saved and used for as long as is necessary to fulfil the Company’s legitimate purpose in doing so.
Specific security precautions are taken to avoid data loss, unauthorized access, and unauthorized or improper use. These precautions will be disclosed upon request.
7. Place of data processing
The processing of the personal data takes place mainly at the operational headquarters of the Data Controller, located in 20124 – Milan, at Piazza Sigmund Freud n. 1, Garibaldi Tower. However, in the guise of technical and organizational measures adopted by Whatwapp Entertainment S.r.l., such data could be processed and stored even outside that office, but always within the European territory, to ensure adequate protection of the same in compliance with EU Regulation no. 679/2016 (GDPR). Further clarifications can be requested in the manner described in the section “Rights of the Candidate”.
8. The Recipient of the Personal Data
The personal data collected by the Data Controller will be processed by authorized subjects, designated as Data Processors according to art. 28 of the EU Regulation no. 679/2016 (GDPR) or in charge of processing according to art. 29 of the EU Regulation no. 679/2016 (GDPR) and according to art. 2- quaterdecies of Legislative Decree no. 196/03, as amended by Legislative Decree no. 101/2018, which act based on specific instructions provided by the Data Controller regarding the purposes and methods of processing.
In any case, personal data, concerning the purposes specified in point 4., may be disclosed to public authorities, where necessary to fulfil legal obligations or orders from the same authorities.
The complete list of recipients of personal data, as well as further information on the transfer of data outside the EU, are available upon request, to be sent to the addresses indicated below in the “Candidate’s rights” section.
9. Data transfer to a non-EU country
To ensure the conservation and correct processing of the personal data provided by the Candidate, the Data Controller uses servers and devices located in Italy, within the European Economic Area and beyond.
In fact, for organizational and managerial reasons of the Data Controller, some personal data may be used, stored and/or accessible, or in any way processed, by subjects (designated as Data Processors, or independent Data Controllers) who operate outside the European Economic Area. When personal data are transferred outside the European Economic Area, the Data Controller takes appropriate measures to ensure that the recipient adequately protects personal information by the laws in force. These measures include but are not limited to, the stipulation of standard contractual agreements approved by the European Commission with entities based in countries outside the European Economic Area, or the verification that the recipients have already entered into such standard contractual agreements and adopted the appropriate security measures, in compliance with art. 46 and ss. of the EU Regulation n. 2016/679.
10. Candidate’s rights
The Candidate has the right to obtain from the Data Controller, in the cases provided for by law (articles 15 and following of EU Regulation no. 2016/679):
- the access to his/her personal data;
- the rectification or cancellation of personal data;
- the limitation of the processing of personal data;
- the right to oppose to the processing of personal data;
- withdraw consent to the processing of personal data;
- if possible, receive the personal data provided to the Data Controller in a structured format, commonly used and readable by an automatic device;
- transmit personal data to another Data Controller.
To exercise his/her rights, the Candidate may send an application to the Data Controller at the following e-mail address: email@example.com, or through A/R to the registered office of the Data
Controller located in 20123 – Milan, at Via Venti Settembre n. 27, for the attention of Whatwapp Entertainment S.r.l. (Tax code and VAT number: 08200040965), in which he/she must provide the necessary and sufficient information to allow to verify that it is the person concerned by the treatment, or a subject authorized to do so (by way of example only and not limited to in the case in which the treatment involves minors). In the case of a request for deletion of data (according to Article 17, paragraph 1, of EU Regulation no. 2016/679), the interested party must specify the reasons underlying the same.
The Data Controller reserves the right to evaluate the lawfulness of the request received. It should be noted that requests for which it is not possible to verify the identity of the data subject will not be considered.
Requests will be handled by the Data Controller within 30 (thirty) days of their receipt. If more time is needed to process the request, it will be the responsibility of the Data Controller to inform the Candidate. In case of refusal of the request, the reasons will be explained.
10.1. Right to lodge a complaint
The Candidate has the option to file a complaint with the Guarantor as required by article 77 of the Regulation or to go to the appropriate judicial offices in accordance with article 79 of the aforementioned Regulation if he believes that the processing of personal data pertaining to him and carried out using the methods described in this information violates the provisions of EU Regulation no. 2016/679 (GDPR).
Whatwapp Entertainment S.r.l.