Privacy Notice on the Processing of Personal Data of
Candidates pursuant to Articles 13 and 14 of the GDPR
In your capacity as a data subject whose personal data are processed, we inform you that the information and data provided by you or otherwise acquired will be processed in compliance with the provisions of EU Regulation 679/2016 (hereinafter “GDPR”), the Italian Privacy Code – Legislative Decree 196/2003 as amended by Legislative Decree 101/2018, as well as with the confidentiality obligations that inspire the activities of Edisplay S.r.l. (hereinafter also referred to as “Edisplay”, the “Controller”, or the “Company”).
1. Data Controller
The Data Controller is:
Edisplay Srl (Tax Code and VAT No. 01172340919), registered office in Fonni (NU), Viale del Lavoro no. 53, represented by its legal representative pro tempore (Phone: +39 02 89050969, Email: dpo@edisplay.it ).
The list of authorized persons who may process personal data is kept at the Controller’s premises and is available upon request from the data subject.
2. Categories of Personal Data Processed
To the extent permitted by applicable law, the Company may process the following personal data provided through the CV during the recruitment phase and during job interviews.
| Common Data | identification and contact data such as: name, address, or other personal identification elements; telephone number and email address; data relating to education and professional background such as: training, professional experience, current role or corporate position, last salary received (if indicated), website, LinkedIn page, or other social profiles; additional personal data (including information relating to hobbies and interests) that may be included in the CV submitted to the Company or in the motivation letter. |
| Special categories of data pursuant to Article 9 GDPR | The Company does not process special categories of personal data (such as, for example, data revealing health status or trade union membership). If such data are included in the CV, they will be immediately deleted by the Company. If the Candidate belongs to a protected category under the law (e.g., Italian Law 68/99), the candidate must provide information revealing their health condition, which will be processed in compliance with Article 9 of the GDPR and applicable privacy legislation. |
Where deemed necessary for the specific position, additional information may be requested to verify potential conflicts of interest that may arise in relation to the job role.
Personal data not collected directly from the candidates may be provided to the Company by head hunters or specialized recruitment agencies.
The Controller also informs candidates that their personal data will not be disclosed to third parties other than those indicated in Article 6 of this notice and will not be publicly disclosed.
3. Purpose of Processing, Legal Basis, Retention Period and Nature of Data Provision
The Controller informs data subjects that personal data acquired through the CV and/or through correspondence with candidates and/or through interviews, as well as data communicated pursuant to the previous section, will be processed electronically and physically for the following purposes:
| Purpose of processing | Legal basis for processing | Data retention period | Nature of the provision of personal data |
a) Recruitment and personnel selection, including the management of: |
Art. 6(1)(b) GDPR: performance of pre-contractual measures taken at the request of the data subject. | Personal data will be retained for a limited period of time, strictly related to the purposes for which they were collected and in compliance with applicable legal or regulatory obligations. Specifically, Candidates’ personal data will be stored and processed for a period not exceeding 12 months from the date of their collection by the Controller (the “Retention Period”). At the end of the Retention Period, the Candidates’ personal data will be deleted, unless there are further legitimate interests of the Controller and/or legal obligations arising from the possible establishment of an employment relationship, or other legal requirements that make their retention necessary, subject to prior data minimization. |
The provision of personal data through the submission of a CV is not mandatory, but it is necessary in order to carry out the recruitment and selection process. Failure to provide the above-mentioned personal data may therefore make it impossible for the Company to proceed with the selection process and the possible establishment of an employment relationship. In any case, except where the recruitment process is aimed at candidates belonging to protected categories under the law, the Company invites all individuals wishing to submit their application not to provide special categories of personal data pursuant to the GDPR (such as, by way of example and not limited to, data relating to health status, political opinions, religious beliefs, judicial data, or data revealing racial or ethnic origin). |
| b) Management of information requests submitted through the contact form available on the Company’s website or sent via email to the indicated address. | Art. 6(1)(b) GDPR: performance of pre-contractual measures taken at the request of the data subject. | ||
| c) Evaluation of applications submitted within recruitment processes involving individuals belonging to protected categories pursuant to Italian Law No. 68/99. | Art. 9(2)(b) GDPR: processing necessary for the purposes of carrying out obligations and exercising specific rights of the Controller or of the data subject in the field of employment and labour law. | ||
| d) Establishment, exercise or defence of legal claims in judicial proceedings. | Art. 6(1)(f) GDPR: legitimate interest of the Controller in establishing, exercising or defending legal claims or protecting its rights or those of a third party. |
Where the legal basis is the Controller’s legitimate interest, the Controller has carried out a balancing test to ensure that processing is proportionate and does not prejudice the rights and freedoms of the data subjects.
If the Company intends to process personal data for purposes incompatible with those originally collected, the data subject will be informed in advance and, where required, their consent will be requested.
4. Methods of Processing Personal Data
Personal data will be processed using IT and electronic tools.
Appropriate procedures and tools will be adopted to ensure security and confidentiality, including collection, recording, storage, use, modification, communication, archiving, deletion, or destruction of the data.
Personal data will not be processed through fully automated decision-making systems, including profiling.
5. Security Measures
All Company personnel who have access to personal data must comply with internal rules and procedures governing the processing of personal data in order to protect them and guarantee confidentiality.
The Company has also implemented appropriate technical and organizational measures to protect personal data against destruction, loss, alteration, misuse, disclosure, unauthorized access, whether accidental or unlawful, and any other unlawful form of processing.
6. Recipients
Where necessary, your personal data may be communicated to the following recipients:
- authorized personnel processing the data;
- data processors pursuant to Article 28 GDPR;
- entities entitled to access the data by virtue of legal or regulatory provisions, including collective agreements;
- service providers involved in recruitment, personnel selection and evaluation activities;
- the Data Protection Officer (DPO).
Third-party service providers must comply with a set of technical and organizational security measures, including:
- information security management
- information security risk assessment
- information security controls (e.g., physical and logical access controls, malware protection, encryption measures, backup and recovery systems)
These third parties process the shared personal data in accordance with the purposes for which they were originally collected and with a level of protection at least equivalent to that required within the European Union.
7. Transfer of Data Abroad
Personal data processed for the purposes described above will remain within the European Union and will not be transferred to third countries outside the EU.
Any transfer of personal data to non-EU countries will occur only in compliance with the guarantees provided by the GDPR, particularly Articles 44–49.
An updated list of processors/sub-processors involved in the processing of personal data, including a description of their processing activities and their location, is available at the following webpage: currently under review.
8. Rights of the Data Subject
The Controller informs the data subject that they may withdraw their consent at any time (where given) and exercise the following rights under Articles 15–22 of the GDPR:
- obtain confirmation as to whether personal data concerning them are being processed and access to those data (Article 15 GDPR);
- obtain without undue delay the rectification of inaccurate data or completion of incomplete data (Article 16 GDPR);
- obtain the erasure of personal data (Article 17 GDPR);
- receive personal data in a structured, commonly used and machine-readable format and transmit them to another controller (data portability – Article 20 GDPR);
- object to processing at any time on grounds relating to their particular situation (Article 21 GDPR);
- obtain restriction of processing (Article 18 GDPR);
- obtain human intervention in automated decision-making processes (Article 22 GDPR);
- withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal (Article 7 GDPR);
- lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) if they believe that personal data have been processed unlawfully (Article 77 GDPR).
The data subject may exercise their rights:
- by email: dpo@edisplay.it
- by regular mail: to the registered office of Edisplay Srl
When contacting the Controller, the user should include their name, email address, postal address and/or phone number to allow the request to be handled correctly.
The Company will respond to requests within one month, unless the complexity or number of requests requires an extension.
9. Data Protection Officer (DPO)
The Company has appointed a Data Protection Officer (DPO) pursuant to Article 37 GDPR.
The role is held by Lawyer Elena Donegana.
Contact details:
Email: dpo@edisplay.it
10. Updates to this Privacy Notice
The Controller reserves the right to modify, update, add or remove parts of this Privacy Notice at any time at its discretion.
Effective date: 04/03/2026
