1. Who is the data controller?
This policy applies to:
- employees, including apprenticeship contracts, training, work experience or insertion contract, a job-sharing agreement, intermittent or on-call work, or those who provide services in the context of a supply contract or a traineeship relationship; associates, even those who are partners, and, if necessary, to their relatives and cohabitants;
- consultants and freelancers, agents, representatives and proxies;
- those who carry out coordinated services on a continuous basis, even where employed on fixed-term contracts; other independent collaborators, even where they are providing ancillary services;
- any individual, regardless of their work title, who works for or provides services to the Company;
(hereinafter, each one of these shall be referred to as an “Data subjects”).
3. Which data are being processed?
Data subject's personal data collected in the course of pre-contractual exchanges of information, or at the signature of the employment or collaboration contract or agent contract, or data provided by the Data Subject at any moment during his employment or collaboration with the Company (jointly referred to as “Data”). This includes both common personal data – such as ID and contact details (for example, name, surname, email address, phone number, etc.) – as well as specific categories of personal data, such as information apt to reveal racial origin or ethnicity, political opinions, religious or philosophical beliefs, labour union affiliation, as well as genetic data, biometric data that lead to the certain identification of individuals; information pertaining to health, sexual lifestyle and sexual orientation; information pertaining to legal matters, i.e. information regarding criminal offences and convictions. The information collected must be strictly relevant to the obligations, tasks and purposes mentioned above that cannot be fulfilled or carried out – depending on the case – via the processing of anonymous data or different types of personal data. More specifically:
- in the context of data that may reveal religious, philosophical or other beliefs, or participation in religious or philosophical associations and organisations, information regarding use of, or participation in, religious festivities or canteen services, as well as displays of conscientious objection, when required by the law;
- in the context of data that may reveal political opinions, political party or trade union membership, membership of political or trade union associations or organisations; information regarding the exercise of a public function, political appointments, labour union activities or tasks (as long as the processing is carried out in order to ensure the permits or periods of leave are granted in accordance with the law, or as foreseen, as the case may be, by collective or corporate agreements), or the organisation of public initiatives, as well as data pertaining to deductions paid as fees for trade union services, or for membership of political or trade union associations and organisations;
- in the context of data that may reveal health status, information collected and processed referring to invalidity, sickness, pregnancy, post-partum or breastfeeding, accidents, exposure to risk factors, psycho-physical eligibility to carry out certain duties, belonging to certain protected categories, as well as data contained in health certificates revealing the status of a sickness affecting an Data Subject, including employment-related sicknesses, or in any event, information that specifies whether the sickness is the main cause of the worker's absence; and
- in the context of legal information, data pertaining to criminal records and pending charges against candidates applying for positions that require certain guarantees in terms of integrity and professionality that are necessary in order to complete the recruitment procedure.
4. For which purposes are the Data being processed?
Data Subject's Data - whether it is common data or special categories of data - either collected during pre-contractual negotiations, upon signature of the contract or at the hiring stage, provided during employment or collaboration will be processed in accordance with current legislation on data protection and for the following purposes:
- in order complete the process aimed at selecting and hiring employees and collaborators and also to finalize agent contract;
- administrative, accounting, salary-related, insurance, social security and tax purposes;
- to comply with or request compliance with certain duties, or to carry out specific tasks required by European legislation, laws, regulations, collective or corporate agreements, more specifically with the purpose of establishing, managing and terminating a working relationship, as well as to award benefits and apply legislation on social security and health insurance – including complementary insurance – or rules regarding health and safety of employees and the general population, as well as actions needed in relation to tax issues, trade union matters, public health, order and safety issues;
- in addition to the cases foreseen at c) – in accordance with legal provisions and for specific and legitimate purposes – for keeping accounts or paying salaries, benefits, bonuses, other emoluments, donations or associated benefits;
- to perform the employment or collaboration or agent contract and make sure the obligations set forth therein are being fulfilled;
- to exercise or defend a right – even against third parties – in court, as well as in administrative,arbitration or conciliation proceedings where provided by laws, European community legislation, regulations or collective agreements.
- to comply with obligations arising from insurance contracts that are aimed at protecting the employer from risks pertaining to health and safety in the workplace, professional sicknesses, or damage caused to third parties in the course of professional or work-related activities;
- to guarantee equal employment opportunities;
- in order to pursue specific, legitimate aims that are identified in the statutes of associations, organisations, federations or confederations that represent categories of employers, or in collective agreements regarding trade union assistance for employers; (the purposes thereof, set out in points a) to i), are jointly referred to as the “Contractual Purposes”) and
- for carrying out activities related to sale of business or branches thereof, acquisitions, mergers, divisions or other transformations; and to execute these operations (the purposes set out in point j) is referred to as the “Legitimate Interest Purpose”).
As for the use of corporate IT devices, the internet and email, please refer to the relevant section of the Valagro Group Data Protection Policy.
5. What is the basis for the processing of the Data?
Providing the Data is mandatory in order to establish and manage an employment or collaboration relationship in accordance with legal and contractual provisions. An employment or collaboration contract cannot be signed or enacted without providing the relevant Data.
6. How are the Data processed?
Processing will be carried out for the purposes mentioned above, either by using IT/automated tools or traditional means, such as paper. In any case, the tools used will be appropriate to guarantee the safety and confidentiality of the Data.
7. With whom will the Data be shared?
Persons in charge of the processing and internal data processors charge of managing the employment or collaboration relationship may have access to the Data.
In order to perform the employment and/or collaboration contract, the following may have access with your Data, in their capacity as external data processors or – where provided by the law – as autonomous data controllers: public or private entities – including health organisations, company doctors, company and complementary social security and healthcare insurance funds, social and worker welfare institutions, tax-assistance centres, insurance companies, recruitment agencies, employer and employee trade union associations and organisations, freelancers, institutions or consortia, providers of services that support or enable those activities carried out by the Controller (and therefore – by way of example, but not exhaustively – to companies that provide IT services, expert reports, consultancy work, legal advice, auditing companies), associations, organisations, public administration bodies, trade union associations (in order to carry out a trade union deduction requested by a Data Subject, or in order to allow control on the performance of the contract, in accordance with the additional corporate agreements), the Data Subjects' family members, subsidiaries, parent companies or companies affiliated with the Controller, those to whom the company or branches of the company have been transferred, companies resulting from possible mergers, divisions or other transformations of the Controller, external structures responsible for carrying out activities which are connected or are the consequence of the performance of the contract, credit institutions for payment orders or other financial activities that are needed for the performance of the contract.
8. Will the Data be transferred abroad?
The Data may be transferred to countries inside the European Union. The Data may also be transferred abroad – including countries outside the European Union – where necessary for the conclusion of the employment or collaboration contract with the Company, or if the Controller decides to establish its servers or corporate databases outside the European Union, or to outsource services to entities established abroad. In these case, Data will be transferred in accordance with the guarantees provided by applicable laws.
The Data will not be disclosed, except where service orders, work or weekday shifts are displayed on the company notice board, and in the case where instructions are provided regarding the organisation of work and the identification of tasks ascribed to individual workers.
The Company will publish the Data Subjects' name, surname, email and phone number on the Company website. It will also publish a picture and a professional profile of the Data Subject, as long as he/she chooses to consent thereto.
9. For how long is the Data stored?
Data collected in the manner described in paragraphs 1 and 3 will be stored for the entire duration of the working or agency relationship and for ten years after it has come to an end, except where it has to be kept for longer due to legal disputes, requests from relevant authorities or in order to comply with applicable laws. After this retention period, the Data will be deleted, anonymised or aggregated.
10. What are the rights of the Data Subject?
In addition to the possibility for the Data Subject to refuse to provide his/her Data, without prejudice to the consequences mentioned in paragraph 2, he/she may exercise his/her right – at any time and free of charge – to (i) obtain the confirmation of the existence or non-existence of Data concerning him/her; (ii) to know the origin of the Data, the purposes of the processing, and the methods used, as well as the logic behind processing carried out with electronic means; (iii) request the Data to be updated, corrected or – if he/she wishes to – integrated; (iv) obtain the cancellation, transformation into anonymous format or blocking of data processed in violation of the law, as well as object to the processing on legitimate grounds;
At any time, the Data Subject may also:
- ask the Company to restrict the processing where (i) the data Subject challenges the accuracy of the Data; (ii) the processing is unlawful and the Data subject opposes to the erasure, requesting instead that use thereof be restricted; (iii) although the Company does not need to process the Data anymore, the Data Subject needs the Data in order to establish, exercise or defend a right in court;
- object to his/her Data being processed pursuant to article 21, paragraph 1 of the Privacy Regulation, pending an assessment on whether the Controller's legitimate grounds override those of the Data Subject;
- object to his/her Personal Data being processed;
- request that his/her Personal Data are erased, without undue delay;
- obtain the portability of his/her Personal Data; and
- if the conditions are met, file a complaint with the competent authority.
Relevant requests may be sent in writing to the Controller, at the following email address: firstname.lastname@example.org.
11. Who are the external data processors?
Amongst others, the Company has appointed external data processors. You can request a complete list of all data processors from the Controller by following the procedure set out in paragraph 10 of this policy.
12. Modifications and updates
This policy will be valid from its entry into force. However, the Company may make changes and/or additions to the policy, also as a consequence of the entry into force of the Privacy Regulation and possible future modifications and/or additions. The text of the updated policy will be published on the company’s intranet. The employee will receive a notification email each time this policy is updated, allowing him/her to promptly become acquainted therewith.