Privacy notice given pursuant to Article 13, GDPR
SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l. (hereinafter “SAPwC” or the “Controller”), with a registered office in Milan, Piazza Tre Torri, n. 2, represented by its pro-tempore legal representative, a company providing administrative, accounting and organisational services, including personnel search and selection, to the Italian entities belonging to the PwC Network, (hereinafter “PwC”) with which it has executed joint control agreements pursuant to Article 26 of GDPR2, the key content of which is available on demand at the premises of the Controller, hereby provides the information required by Article 13 of GDPR (the “Privacy Notice”).
(a) Contact details of the Controller
SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l.
Piazza Tre Torri, n. 2 - 20145 Milano
Fiscal Code and VAT Registration: 12449670152
Tel. +39 02 77851
(b) Contact details of the data protection officer
Data Protection Officer (“DPO”)
Piazza Tre Torri, n. 2 - 20145 Milano
PEC (certified electronic mail): dpo-sap@pec-pwc.it
Tel. +39 02 66734162
Fax. +39 02 66734163
(c) Purposes of the processing of personal data and legal grounds
Your personal data shall be processed for the following purposes:
- Carrying out hiring research and activities including, but not limited to, processing your application, assessing your CV for different job offer and processing your profile in connection with current and future open positions within the Italian entities of the PwC Network;
- Enabling PwC personnel to contact you in order to collect additional information about your application as well as to carry out reputational audits to the extent necessary and to the extent permitted, from time to time, by current legislation;
- Performing activities useful for establishing the professional relationship;
- Only with reference to certain categories of personal data (i.e. gender and age), conducting statistical analyses concerning, for instance, the use of Workday (an e-platform used by the Controller for personnel selection), the channels used by data subjects to apply for open positions, PwC’s recruiting activities;
- Complying with the policies and procedures adopted by the Controller by virtue of it belonging to the PwC Network, also designed suitably to manage shared operating and quality control processes, as well as specific cooperation relationships between legal entities belonging to the Network.
(d) Categories of personal data processed
For the purposes of processing listed in paragraph (c) above, the following data categories shall be processed:
- ordinarily: ‘common’ personal data, such as for instance: given name and family name, fiscal code, VAT registration number, residence, domicile, place of work, email or certified email (PEC) address, telephone and telefax number, employer, company role and/or grade, etc;
- occasionally: ‘special’ personal data, for instance trade union membership or state of health. Except for the circumstances provided for by law, the Controller has no need to process such personal data. For this reason, without prejudice to law requirements, ‘special’ personal data shall be collected by the Controller solely if applicants provide them voluntarily, the decision as to whether or not to share those data at the time of the application being at their discretion.
(e) Categories of recipients of the personal data
For the purposes of processing listed in paragraph (c) above, access to the personal data that you provide may be given to:
Employees and freelancers of the Controller and/or one or more of the other Italian legal entities (joint controllers pursuant to article 26 of GDPR) – In their capacity as persons authorised to process the personal data – or of one or more of the foreign entities of the PwC Network;
Judicial or supervisory authorities, public sector and private sector (domestic and foreign) administrations, bodies and organisations, and professional associations;
Professionals and advisors, not necessarily belonging to the PwC Network, engaged by the Controller and/or one or more of the other Italian legal entities of the PwC Network to carry out activities related to the administrative management of the relevant corporate structure or defence in court proceedings as well as to companies offering consultancy services and other professional services in the context of personnel selection activities.
(f) Storage and transfer abroad of personal data
Personal data are managed and stored in the cloud and on servers located within and outside the European Union that are owned by and/or available to the Controller and/or third parties, duly appointed as processor. Personal data may be transferred abroad to countries outside the EU in compliance with the regulations in force, as well as in accordance to the provisions adopted by the European Court of Justice and by national and foreign Authorities regarding the protection of personal data. Your personal data shall not be disseminated.
(g) Period of storage of personal data
The personal data collected for the purposes listed in paragraph (c) above shall be processed and stored for the following lengths of time:
Personal data of applicants who are not selected by PwC or who are found to be suitable for positions other than that advertised shall be stored until the end of the fiscal year after a minimum period of 12 months from the last use within Workday (this being the last action taken on the platform by the applicant or the recruiter), unless the applicant submits a request for erasure in accordance with Article 17 of GDPR. In any case, applicants’ personal data shall not be stored for longer than three years from the date they were collected;
Personal data of data subjects who are found to be suitable for the positions advertised shall be stored in accordance with the provisions of the privacy notice applicable to employees of PwC, for a period of 10 years, plus 12 months from the date of termination of employment;
In connection with complying with national or EU laws and regulations, or executing orders or instructions from judicial or supervisory authorities, or professional bodies, as well as to enable the Controller to exercise its rights, specifically defending itself in court proceedings, the data shall be stored for the statutory time limit established by the specific legislation applicable in the circumstances, plus 12 months;
In connection with complying with the policies and procedures adopted by the Controller by virtue of it belonging to the PwC Network, the data shall be stored for a period of 3 years following the fulfilment of the obligations set forth in those documents.
(h) Rights of the data subject
Pursuant to Chapter III, Section I, of GDPR, you can exercise the rights listed therein, i.e.:
- Right of access – The right to obtain confirmation as to whether or not personal data concerning yourself are being processed and, where that is the case, to obtain information, in particular about: the purposes of the processing, the categories of personal data processed and the period of storage, the recipients to whom the personal data may be disclosed (Article 15 of GDPR);
- Right to rectification – The right to obtain, without undue delay, the rectification of inaccurate personal data concerning yourself and to have incomplete personal data completed (Article 16 of GDPR),
- Right to erasure – The right to obtain, without undue delay, the erasure of your personal data, in the circumstances envisaged by GDPR (Article 17 of GDPR),
- Right to restriction of processing – The right to obtain from the Controller the restriction of processing in the circumstances envisaged by GDPR (Article 18 of GDPR),
- Right to data portability - The right to receive the personal data concerning yourself which you have provided to the Controller in a structured, commonly used and machine-readable format, and to have those data transmitted to another controller without hindrance, in the circumstances envisaged by GDPR (Article 20 of GDPR),
- Right to object - The right to object to processing of personal data concerning yourself, unless legitimate grounds for the Controller continuing the processing exist (Article 21 of GDPR),
- Right to file a complaint with the Authority - The right to file a complaint with the Italian data protection authority, Garante per la protezione dei dati personali. (Information and contact details can be found on the authority’s website www.garanteprivacy.it).
You may exercise the above rights simply by sending an e-mail to the PEC address of the Data Protection Officer reported above.
(i) Method of processing
Processing of your personal data takes place through the operations listed in Article 4, item (2) of GDPR – whether or not with the help of information systems – specifically: collection, recording, organisation, structuring, updating, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, comparison, interconnection, restriction, erasure or destruction.
In any case, the logic security and physical safety and, in general, the confidentiality of the personal data processed shall be ensured, through all necessary, appropriate technical and organizational measures.