Privacy Policy

Pursuant to and for the purposes of the existing legislation on the protection of personal data (the " Privacy Policy"), including Regulation (EU) 2016/679 (" GDPR ") as well as Legislative Decree No. 196/2003 as amended by Legislative Decree No. 101/2018 (the "Privacy Code"), Reno De Medici S.p.A., as data controller (hereinafter, "RDM" or "Data Controller"), informs users (below the "Users" or, individually, "User") of the website www.rdmgroup.com (the "Website"), which will deal with their personal data collected through said Website using the procedures and for the purposes described in this policy (the "Policy").
The terms of this Privacy Policy apply only and exclusively to the Website and not to other websites owned by the Data Controller or owned by third parties that the User may access via the links that may be contained in the Website. Should the User access to another website, he/she is advised to read the information regarding the processing of personal data applicable to said website.
The User, by browsing the Website, acknowledges having read and understood the contents of this Policy.

1. Type of data processed via the Website

RDM shall process the following types of personal data of Users who browse and interact with the web services of the Website, specifically:

1. Data collected implicitly whilst a User browses the Website

The computer systems, cookie technology and software procedures used for the operation of the Website acquire, during their normal exercise, certain personal data, the transmission of which is implicit in the use of the Internet. This information is not collected to be associated with identified data subjects, but which, by their very nature, could, through elaborations and associations with data held by third parties, allow Users to be identified.
This category of data includes, for example, IP addresses or domain names of the computers used by Users who connect to the Website, the pages visited by Users therein, the domain names and addresses of the websites from which the User has logged in to the Website (by referral), URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the web server, the size of the file obtained in reply, the numerical code indicating the status of the response sent from the web server and other parameters related to the type of browser (e.g. Internet Explorer, Google Chrome, Firefox), operating system (e.g. Windows) and the User's computing environment.
These data are also collected by cookie technology or text and number files that are installed, whilst browsing a website, in the memory of the device (PC, smartphone or tablet) connected to the Internet via the browser application installed therein. For more information about cookies used on the Website users are advised to consult the Cookie Policy.

2. Common data provided directly by the User

This is data that is provided to RDM directly by the User, such as, by way of example and not limited to: name, surname, email address, personal data contained in the curriculum vitae, personal data of the sender possibly contained in email notifications or in attachments thereto, etc. after sending a notification via the direct sending of an email or other notifications to the contact details specified on the Website or via the appropriate interface within the "Join us" section of the Website .

3. Special data categories (pursuant to Article 9 of the GDPR) provided directly by the User

This concerns data provided to RDM directly by the User, such as, specifically, those revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or the sexual orientation of the User after sending a notification or a curriculum vitae ("CV") via the specific interface within the "Join us" section of the Website.
Generally, specific data are not processed, as defined pursuant to Article 9 of the GDPR, nor are judicial data, except for "data relating to the membership of the data subject to protected categories". These data should be conferred by the applicant User solely in the context of selection procedures aimed at covering positions reserved for disabled workers pursuant to Law no. 68/99 and subsequent amendments and additions.
Users who wish to apply either spontaneously or in response to an open position published on the Website must not, therefore, provide data of a specific category. One exception concerns data relating to the possible disability of the data subject and this is exclusively due to the subsidies from which they may benefit, where the selection is aimed at protected categories.
The User must also not provide judicial data, i.e. personal data relating to criminal convictions or offences or related safety measures, or in any case eligible for revealing an accused or investigated status pursuant to Articles 60 and 61 of the Code of Criminal Procedure.

2. Legal basis and purpose of processing
   1. Common personal data provided by the user, be it implicitly or directly, whilst browsing the Website shall be processes, without requiring the prior consent of the User, for the following purposes:

1. to enable Users to benefit from the Website services;
2. to carry out the maintenance and technical assistance necessary to ensure the correct operation of the Website and the services relating thereto;
3. to enable RDM to exercise its rights in court proceedings and suppress illegal activities;
4. to fulfil the obligations of the law and/or regulations.

The processing of the common personal data for the aforementioned purposes will be carried out on the basis of legitimate interests of the Data Controller to: (a) prevent the occurrence of fraud or other criminal acts via the use of the Website; (b) inform the User, via the contents of the Website on the activities carried out by RDM; (c) improve the quality and structure of the Website as well as to create new services, features and/or characteristics of the same; (d) for the handling and processing of statistical surveys (after data anonymisation) on the use of the Website; (e) interact with the User interested in RDM's services, via RDM's contact details published on the Website within the specific "Contact Details" section.

1. 2. The processing of personal data provided directly by Users who intend to apply spontaneously, by emailing [email protected] by accessing the "Join us" section of the Website and by filling in the online "form" that enables the acquisition of information relating to their professional experience, organised in the form of a CV, is aimed at searching for and selecting staff for the department within RDM or its associated companies and/or subsidiaries (the "RDM Group Companies").

The common personal data provided directly by the User by sending a CV shall be processed pursuant to Article 111-bis of the Privacy Code.

Where, during the selection procedure or within the CV, personal data of a specific category needs to be collected, said data shall be processed exclusively following the issuance of appropriate consent by the applicant User. It should be noted that, in the event of the non-provision of consent to the processing of personal data of a specific category by the applicant User, said personal data shall be immediately deleted by RDM.
If RDM intends to use the collected personal data for any other purpose that is inconsistent with the purposes for which it was originally collected or authorised, RDM shall inform the User in advance and the user shall also be able to refuse or withdraw his/her consent.

3. Nature of the Provision of Data

The provision of data implicitly provided by the User by browsing the Website is carried out automatically. Therefore, if the User does not intend to provide any personal browsing data, he/she is asked not to visit this Website, not to otherwise use this Website or send requests or notifications via this Website or not to provide his/her consent when this option is offered under the Privacy Legislation.
The provision of common data provided directly by the User is optional. However, their non-provision can make it impossible for RDM to perform the application requests.
The provision of data of specific categories provided directly by the User is optional and, in any case, may be processed by RDM only with prior consent duly provided by the User. Only where the selection is aimed at protected categories, the non-provision of personal data relating to the possible disability of the data subject may make it impossible for RDM to perform the application request.

4. Data processing methods

The processing of the personal data of Users is carried out by means of the operations specified in Article 4 of the GDPR and, specifically: collection, recording, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication through transmission, any other form of provision, comparison or interconnection, limitation, deletion or destruction of data.
We also inform you that the User's data:
will be processed in compliance with the principles of legality, correctness and transparency; will be collected for the legitimate purposes determined above;
will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
will be kept in a form which permits the identification of the User for a period of time not greater than the achievement of the purposes and better defined in Paragraph 8 below;
will be processed in such a way as to ensure adequate security from the risk of destruction, loss, modification, disclosure or unauthorised access by means of technical and organisational security measures.
Users' data shall be processed on paper, using automated, computer or electronic tools, using organisational procedures and logic closely related to the specified purposes.
RDM uses the most appropriate technological and security measures (electronic, computer, physical, organisational and procedural) to ensure the security and confidentiality of the data processed.

The User notes, however, that said communication of personal data by means of websites presents risks related to the disclosure of such data and that no system is totally secure or tamper-proof and/or secure from intrusion by third parties.

5. Data disclosure
   1. The personal data provided by Users by browsing the Website or by filling in the online "form" contained in the "Join us" section of the Website, or through appropriate communications sent to RDM's contact persons specified on the Website will not be distributed or made accessible to undetermined parties, in any way, even by their provision or consultation.
   2. RDM can instead communicate (this term meaning to give knowledge to one or more specific individuals) the User's personal data processed for the purposes referred to in Paragraph 2.1 of the Policy to: (a) supervisory and/or control bodies of RDM, (b) Judicial Authorities as well as (c) all other subjects to which the disclosure is mandatory by law for the accomplishment of the purposes such as autonomous data controllers. RDM may also entrust certain personal data processing procedures carried out for the purposes referred to in Paragraph 2.1 to third parties, duly appointed by RDM, if necessary, as Data Processors, including, by way of example and not limited to:

suppliers of technical services of the Website;
hosting providers that offer services for hosting Website;
computer companies involved in maintaining and managing the Website;
communication agencies involved in the market research activities carried out by RDM using, anonymously, Users' browsing data;
other Companies of the RDM Group (for management, statistical and data consolidation needs).

1. 3. RDM may disclose Users' personal data processed for the purposes referred to in Paragraph 2.2 of the Policy ("managing staff applications, searches and selection") to: (a) authorised individuals within RDM's structure and, specifically, employees or collaborators of the Human Resources Department [email protected], who will process the data according to the operating instructions defined by RDM, as Data Controller; (b) entities which can access the data by virtue of the provisions of the law or regulations, within the limits provided for by law; (c) individuals who need to access the data for auxiliary purposes to the relationship with the User within the limits strictly necessary to carry out the auxiliary tasks entrusted to them (e.g. companies and/or third parties which the Data Controller uses for specific consulting and data processing services), following a specific assignment letter that imposes upon such third parties the duty of confidentiality and security in the processing of personal data.

The complete and updated list of subjects referred to in Paragraphs 5.1 and 5.2 above to which the data can be disclosed as Personal Data Processors can be requested by using one of the communication channels available from RDM for the exercise, by the data subjects, of their rights, specified in Paragraph 8 below.
Also, following the explicit consent given by the applicant User, RDM may disclose the personal data contained in the CV for the same pursuit of the purposes referred to above, to other RDM Group Companies, where are the latter companies are interested in applying or in having an open working position. In the latter case, the RDM Group Companies will act as autonomous Data Controllers and RDM, as Data Processor on behalf of the former.

6. Transfer of data outside of the EU

The handling and retention of personal data will take place on servers located within the European Union owned by RDM and/or third party companies responsible and duly appointed as Data Processors.
The User's data will not be transferred outside of the European Union.
A possible transfer of the User's personal data to non-EU countries may take place only under the terms and with the guarantees provided by the Privacy Legislation.

7. Data retention period

Personal data collected whilst browsing the Website will be processed and retained throughout the duration of the browsing and, after its termination, for any reason, for the periods referred to in the cookie policy and, in any event, for a period not exceeding 24 months (the "Retention Period"), unless a different retention period is provided for pursuant to law.
Personal data collected and processed for the purposes referred to in Paragraph 2.2 ("Managing applications, staff search and selection"), will be retained for a period of up to twelve months from the User's registration or from the submission of their CV.
At the end of the retention period, personal data will be deleted, provided that there are no further legitimate interests of the Data Controller and/or legal obligations that require, after minimisation, their retention.

8. User Rights

The User, as data subject, according to law, will always have the right to revoke their consent that may have been given and may also, at any time, exercise the following rights:

1. the "Right of Access" and, specifically, to obtain confirmation of the existence or non-existence of personal data relating to the User and their communication in an intelligible form, as well as to obtain the following information:

1. the purposes and methods for processing the User's personal data (including the existence of an automated decision-making process, including the profiling referred to in Article 22, paragraphs 1 and 4 of the GDPR and, at least in these cases, significant information on the logic used, as well as the importance and the expected consequences of this processing for the data subject), the categories of personal data processed, the origin of the personal data, the retention period of the personal data (if possible), or the criteria used to determine this period;
2. the details of the data controller, data processors and the appointed representative pursuant to Article 5, paragraph 2; e) of the GDPR and, in general, of all the subjects or categories of subjects to whom the personal data have been or will be disclosed on Italian territory, especially if there are recipients of third countries or international organisations (and, in this case, the User also has the right to be informed of the existence of adequate safeguards pursuant to Article 46 of the GDPR relating to the transfer);
3. the existence of the right of the User, as data subject, to ask the data controller for the rectification, erasure or limitation of the processing of personal data or to object to their processing;
4. the right to lodge a complaint with the Italian Personal Data Protection Authority (the "Personal Data Protection Authority");

2. the "Right of Rectification" i.e. the right to request the rectification or, if they had an interest, the supplementation of personal data;
3. the "right to erasure" (or "right to oblivion"), i.e. the right to request the erasure, transformation into anonymous form or the blocking of data processed in breach of the law, including data that does not need to be retained in relation to the purposes for which the data were collected or subsequently processed;
4. the "Right of limitation of processing" i.e. the right to obtain, from the data controller, the limitation of processing in some cases provided for under the Privacy Legislation;
5. the right to request, from the data controller, an indication of recipients to whom it has notified any rectifications or erasures or limitations of processing (made in accordance with Articles 16, 17 and 18 of the GDPR, in fulfilment of the obligation of notification, except in the case where this proves impossible or involves a disproportionate effort);
6. the "right to data portability" i.e. the right to receive (or transmit directly to another data controller) personal data in a structured format, of common use and readable by automatic device;
7. the "Right of objection" i.e. the right to object, in whole or in part:

1. to the processing of personal data carried out by the Data Controller for a legitimate interest of the latter;
2. to the processing of personal data carried out by the Data Controller for the purposes of marketing or User profiling.

In the cases referred to above, where necessary, the Data Controller will bring to knowledge of the third parties to which the User's personal data are disclosed the possible exercise of rights, with the exception of specific cases where this is not possible or is too burdensome.

9. Methods for exercising rights and complaining to the Italian Personal Data Protection Authority

The User may, at any time, exercise the rights referred to in the preceding Paragraph, in the following ways:

1. by sending a registered letter with return receipt to RDM's address in Milan, Viale Isonzo 25;
2. by sending an email to: [email protected] and the DPO at: [email protected]
3. by calling the number: +39 0289966111 (r.a.)

User has, under the Privacy Regulations, the right to lodge a complaint with the competent Supervisory Authority (in particular in the Member State of your habitual residence, place of work or place of the alleged breach), if you are of the opinion that your Personal Data is being processed in a way that would result in a breach of the GDPR.
In order to facilitate the exercise of the right to lodge a complaint, the name and contact details of the EU Supervisory Authorities are available at the following link:
https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.