INFORMATION ON THE PROCESSING OF PERSONAL DATA
Introduction
General data applicable to all information on the processing of personal data.
In this section you can find the general information that applies to all the following information.
Joint controllers of the processing of personal data pursuant to the law are:
| HOLDER | CONTACT DETAILS | REFERENCE WEBSITE |
| Yoda Investor Sr | privacy@gruppoyoda.com | https://www.gruppoyoda.com |
| Athics Srl | privacy@athics.ai | https://athics.ai |
| Athilab Srl | privacy@athilab.eu | https://www.athilab.eu |
Recipients of data (by category)
Authorized to process data, duly trained and bound to confidentiality.
Data Processors: service providers to whom data may be transmitted who process them on behalf of the Controller on the basis of a legally binding agreement, which guarantees the protection of personal data.
Autonomous controllers who present sufficient guarantees to process the data of the interested parties and with a valid legal basis to do so (for example, authorities and control and supervisory bodies, public or private entities that have the right to request data, such as partners or suppliers).
Legitimate interests pursued by the Data Controller
The data controller may use its legitimate interest as the legal basis for a specific purpose by balancing its rights with those of the data subject, taking into account his or her “reasonable expectations” also in consideration of the existing relationship with the data controller. When the processing is based on the legitimate interest of the data controller, it is not necessary to request the data subject’s consent to pursue that specific purpose. The processing must not have negative effects on the rights and freedoms of the data subject.
Transfers to third countries pursuant to articles 46, 47, 49 GDPR
Transfers to third countries will take place in accordance with current legislation:
in countries recognized as safe by the EU Commission
in countries with which Europe has International agreements on data protection
with subjects with whom the Data Controller has stipulated legally binding agreements to provide adequate guarantees for the protection of the Data Subjects as required by the legislation.
in the presence of derogations provided for:
consent of the interested party
by necessity and not in a repetitive manner for types and quantities of data that allow it.
Further details on the location, adequate guarantees and copy of the data can be requested from the Data Controller and/or will be provided in specific reference information.
Rights of the interested parties
Obtain confirmation or not of ongoing processing and possibly obtain access to the data concerning the interested party
Know the origin of the data processed by the Data Controller
Verify the accuracy of the data concerning the interested party
Oppose, for legitimate reasons, the processing
Request any integration, cancellation, updating, rectification, blocking of personal data processed in violation of the law, portability
Requests can be addressed to the Data Controller via the contact details in the header
or to the Data Protection Officer (DPO) at the following contact details: dpo@athics.ai
The interested parties also have the right to:
Be informed about violations that may present a high risk for the interested parties themselves
Propose a complaint to the competent Supervisory Authority in the Member State in which they habitually reside or work or in the State in which the alleged violation occurred.
Consent
Where free, optional and revocable consent is required by the Data Subject, it is collected for the processing that requires it in a specific location for a specific type of data or purpose.
Categories of personal data in question
For some of the Data Controller’s activities, the personal information collected concerns common data (may include identification and contact data, etc.) and, sometimes, data belonging to special categories pursuant to Article 9 of the GDPR (only in the presence of an adequate legal basis, for example when the data subject has expressed his or her consent or the Data Controller must exercise rights in the field of employment and social security law).
Additional purposes
If the data controller intends to further process the personal data for a purpose other than that for which they were collected, before such further processing the Data Controller provides the data subject with information regarding such different purpose and any additional information relevant to the new purposes.
Such communications may take place through an update of the Information and/or through the data subject’s contacts.
Date and Version
V.01_February_2024
Information for the Forms on the Owner’s Websites and/or for commercial communications. This information supplements the general data and is provided to the Interested Parties for the indicated treatments. For these treatments, the Owner indicated on the first page are to be considered Joint Controllers of the treatment.
Purposes and Legal Bases of the Processing and Criteria for determining the data retention period
CONTACT FORM AND COMMERCIAL COMMUNICATIONS VIA EMAIL
The personal data subject to processing are provided by those who browse the site and interact with it. The data may include identification and contact data (name, surname, email address, etc.), special data (pursuant to art. 9 GDPR) that could be spontaneously provided by filling out the contact form.
The personal data of the interested party are processed to
Respond to requests or questions submitted by the User, the basis of which is the legitimate interest of the Data Controller to be identified in the reasonable expectation that the user expects that his/her personal data will be used to respond to his/her contact request. In the event that special data are provided, the legal basis is the consent confirmed by checking the appropriate box. The data will be processed for the time necessary to manage the request sent.
Send commercial communications, through contact details, provided via form and/or during conventions, events, fairs, in which the interested party has provided their data (e.g. via business card). These communications are aimed at promoting Products/Services provided by the Data Controller. The legitimate interest of the Data Controller in promoting its business with these types of Interested Parties is the basis of the processing considering their reasonable expectations. The processing will take place until the legitimate interest of the Data Controller ceases or the exercise of the right of opposition by the Interested Party.
Cookie
This information integrates the general data and is provided to the interested parties for the indicated treatments.
Information for Candidates
This information supplements the general data and is provided both to the Interested Parties who propose their candidacy for a job position to the Data Controller and for specific personnel searches possibly promoted by the Data Controller also with the support of specialized subjects.
For these treatments, the Data Controller indicated on the first page are to be considered Joint Data Controllers.
Purposes and Legal Bases of the Processing and Criteria for determining the data retention period
The personal data of the interested party are processed for the following purposes:
Examination of the profile and evaluation of the candidate and organization of meetings and interviews
Preparation of documentation for hiring in the event of a positive evaluation
If necessary, to ascertain, exercise or defend the rights of the Data Controller in or out of court
The applicable legal bases of the processing identified by the GDPR are:
Performance of pre-contractual activities
Legal obligations
Legitimate interest of the Data Controller for a better organization of the activity (e.g. communication via the telephone number provided also via SMS
The maximum data retention period is 24 months from the provision of the data. After the retention periods indicated above, the data will be destroyed, deleted or made anonymous, compatible with the state of the art and implementation costs.
After the retention periods indicated above have elapsed, the data will be destroyed, deleted or made anonymous, compatible with the state of the art and implementation costs.
Source from which personal data originate
Personal data is generally collected from the interested party but, in some cases, comes from publicly accessible sources such as, for example, university databases or agencies that process data to allow interested parties to receive job offers.
Version and date
V.01_February_2024
Information on contractual relationships
This information supplements the general data and is provided to the Interested Parties for the indicated processing.
Purposes and Legal Bases of the Processing and Criteria for determining the data retention period
The purposes of the processing are linked to the presentation of the Data Controller’s Services, commercial proposals (carried out or received), negotiation and stipulation of agreements.
The legal bases for this processing are:
necessity for the exercise of pre-contractual and contractual measures
consent (where necessary it will be requested)
legitimate interest of the Data Controller in a more convenient organization of its work activity.
The criterion identified for the retention of such data is linked both to compliance with current tax and administrative regulations as well as those found to keep a profitable network of commercial contacts updated and constant.
Source from which personal data originate
Data not collected from the interested party comes from publicly accessible sources such as, for example, company websites and used in compliance with the principle of purpose.
Social media searches may be carried out regarding certain professional figures to better identify their professional role.
Certain Interested Parties/Contacts may be introduced to the Data Controller through partners or collaborators.
Contractual reference
The Parties undertake to ensure that the personal data provided to each other are processed in compliance with the European Regulation for the Protection of Personal Data 2016/679 (“GDPR”), Legislative Decree no. 196/2003 (“Privacy Code”) and subsequent amendments and additions, as well as within the limits indicated below.
Among the possible actions to be carried out, if the type of relationship between the Parties concretizes the case provided for by art. 28 GDPR, there is the signing of a Controller-Processor Agreement on the processing of personal data. The Parties undertake from now to fulfill this possible obligation in a specific attachment “DPA ex art. 28 GDPR – Controller-Processor Agreement”.
The Parties mutually acknowledge, as Data Controllers, that such personal data will be processed in order to stipulate and execute the contractual relationship, i.e. for purposes strictly connected and instrumental to the performance of any pre-contractual activities, to the management of the contractual relationship (e.g. administrative and accounting activities), to the fulfillment of contractual obligations as well as to fulfill legal obligations, and will be retained for needs inherent to the execution of the Contract and in any case for the time necessary to fulfill the legal or regulatory obligations of the Data Controller.
The data will be processed only by the Parties, by persons specifically authorized by them or by other third parties used by the same Parties, specifically appointed as External Data Processors, as well as by independent Data Controllers with adequate legal basis (e.g. by the Authorities in case of request). Personal data will not be subject to dissemination intended as publication unless it is a processing provided for by consent of the interested party, by the nature of the Contract or by the legal obligations to which the Data Controller is subject.
The Parties retain the right to transfer the data outside the territory of the European Union, to those states that ensure the same level of security and guarantee in the processing of data as well as full compliance with the provisions of the GDPR.
Version and date
V.01_February_2024