Pursuant to and for the effects of Art. 13 of the European Regulation 2016/679 relative to the protection of individuals with regard to the processing of personal data (GENERAL DATA PROTECTION REGULATION – GDPR).
This document is to inform you, pursuant to art. 13 EU Regulation 679/2016, about the purposes, methods and subjects that your personal data will be handled, as well as to remind you of your rights and the related enforcement.
To this aim, the interested party is subject to the Privacy Notice prepared by NMS Group S.p.A., as the leading company (Company), to whose direction and control the following companies are subject (NMS Group Companies):
- Nerviano Medical Sciences S.r.l.
- Accelera S.r.l.
- NerPharMa S.r.l.
- SIMIS S.r.l.
1. Data Controller and External Data Processor
Each of the aforementioned companies, subject to the direction and control of NMS Group S.p.A., holds the legal status of Data Controller of personal of subjects who send a contact request via the appropriate “Contacts” form, available on the NMS Group Companies’ websites. Each Data Controller has appointed the holding company, NMS Group S.p.A. as External Data Processor, and empowered it to issue this on behalf the NMS Group Companies, as well as to collect the consent to the processing of data by the interested parties, in the name and on behalf of each Data Controller.
NMS Group S.p.A. holds the title of Data Controller with respect to the personal and sensitive data submitted through its own web site.
2. Purpose and legal basis of the processing
Your personal data, including all the relevant information submitted through the aforementioned “Contact” form section of the web site, will be processed (for the definition of “processing”, see art. 4, paragraph 1, No. 2 of the Rules) for the following purposes:
• Requests for information and data on the activities of the NMS Group Companies, on the contents and performance of these activities, on significant facts concerning the life of the company or the interaction of the Companies themselves with the public, the territory, the authorities and stakeholders;
• Requests for meetings, commercial proposals, exchanges of news and information on topics of corporate interest of one or more of the NMS Group Companies. The legal basis of the processing is identified in the managing your contact’ request by Data Controller and in the obligations connected to the same and/or directly and/or indirectly deriving from the same. In some cases, law requires the express consent of the interested party, to whom the data refer.
3. Processing methods
Data will be processed in compliance with the provisions of Chapter II (Principles) and Chapter IV (Data Controller and data processor) of the Regulation. In particular, the data will be processed lawfully, correctly and transparently with the data subject, collected for specific, explicit and legitimate purposes, as well as adequate, relevant and limited to what is necessary with respect to the purposes for which they are processed. Data may also be processed by automated means to store, manage or transmit the data and, in any case, it will be performed in compliance with the Regulations and according to the law in force.
The processing of your personal data is carried on by means of the operations indicated in the art. 4, n. 2) of the Regulation which, for example, may consist of the activity of collection,registration, organization, conservation, modification, consultation, use, communication. For the full list of processing operations, see the aforementioned art. 4, n. 2) of the Regulation. The Data Controller, upon written request by the data subject, will provide a copy of the personal data being processed. In case of further copies requested by the interested party, the Data Controller will charge a fee based on administrative costs. The right to obtain a copy from the data subject must not affect the rights and freedom of others.
4. Data retention period
Data provided will be kept for the time required for managing your contact request and, for the time foreseen by the applicable laws and regulations in force. Data Controller is granted the right to store the personal data of the interested parties, for the defense of their legitimate rights and interests, for a time at least equal to the prescription time established to protect the rights deriving from the contractual relationship, as well as to the prescription terms set for any claims of damages arising from contractual and non-contractual liability (if that shall occur). Also, the Data Controller has the right to keep the personal data of the interested parties, up to the last degree of judgment, in the event of a dispute that should be brought by or against any candidates, both during the hiring process and after its conclusion.
5. Access to data
For the purposes referred to in art. 2 of this notice, the personal data subject to processing may be made accessible to the following subjects:
a) the personnel of the Data Controller, specifically authorized;
b) employees and collaborators of the External Data Processor in their quality of internal managers and/or appointees and/or authorized to processing data and/or system administrators;)
c) to the NMS Group Companies;
d) to third party companies that perform outsourcing activities, in their quality as external processors (such as credit institutes, professional offices, suppliers, consultants, insurance companies for the provision of insurance services, for the time strictly necessary for the optimal execution of this service);
e) to the subjects involved with the maintenance and development service of the IT system, for the time strictly necessary for the optimal execution of this service.
The subjects referred to in letters c), d), e) will be appointed by NMS Group S.p.A. External Data Processors pursuant to art. 28 of the Regulation. The complete list of External Data Processors to whom your data are at firstname.lastname@example.org, or you can send your request by registered letter with return receipt, to NMS Group S.p.A. at the following address: Viale Pasteur n. 10, 20014 Nerviano (MI), Italy.
6. Data communication
Without your express consent pursuant to art. 6 lett. b) and c) of the Regulations, the Data Controller may also communicate your data for the purposes referred to in art. 2 to Supervisory Bodies, Public Administrations, the Judicial Authority, as well as to all other subjects to whom the communication is mandatory by law for the fulfillment of the above mentioned purposes.
7. Data transfer
The management and storage of personal data will take place on the data controller’s server and/or third-party companies duly appointed as Sub External Data Processors located within the European Union. Currently the servers are located in Italy, but it is in any case understood that the owner, if necessary, will have the right to move the location of the servers within the
European Union and/or in non-EU countries. the Data Controller has the responsibility to inform the concerned people of any change in the location of the servers.
8. Nature of data provision
The provision of data for the purposes referred to in art. 2 is mandatory. The acquired data, object of this information, are essential for the execution of the hiring process and for the subsequent management of it.
For the correct execution of the hiring process, as well as for compliance with legal obligations, it is necessary that the Data Controller/Data Processor treats some sensitive data of the interested party. Even the processing of such sensitive data assumes the character of mandatory duty, without which the hiring process cannot be carried on. Any refusal to provide the requested data and/or their inaccuracy could make impossible to
taking part to the hiring process.
9. Rights of the interested party
As an interested party, we inform you that you have the opportunity to exercise all the rights provided by the art. 15 of the Regulation, namely:
a) the right to obtain confirmation that personal data concerning you is being processed and, in this case, to obtain access to personal data and the following information:
i) the categories of processed personal data;
ii) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if third countries or international organizations;
iii) if possible, the period of storage of personal data provided or, if this is not possible, the criteria used to determine this period;
iv) the existence of the right of the data subject to request the Data Controller to rectify or cancel personal data or to limit the processing of personal data or to oppose their processing;
v) the right to make a complaint with a supervisory authority, pursuant to articles 77 of the Regulation;
vi) if the data is not collected through the interested party, information available on its origin; vii) the existence of an automated decision-making process, including the profiling referred to in art. 22, paragraphs 1 and 4 of the
Regulation, and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such treatment for the interested
viii) the right to be informed of the existence of adequate guarantees pursuant to art. 46 of the Regulations, if personal data is transferred to a third country or an international organization;
b) the interested party will also have (if applicable) the rights referred to in Articles 16-21 of the Regulation (right of rectification, right to oblivion, right to limitation of treatment, right to data portability, right to opposition).
We inform you that the Data Controller and/or the External Data Processor, undertake to respond to your requests no later than one month after receiving them. This deadline could be extended, for no more than two months, depending on the complexity or number of requests and the Company will explain the reason for the extension within one month of receiving the request. It should also be noted that if the request is not met, the Data Controller and/or the
External Data Processor are required to provide feedback on the reasons for the non- compliance and the possibility of making a complaint to a supervisory authority or judicial appeal within one month from receipt of the request. The outcome of your request may be provided in writing or electronically.
10. Mode of exercise of rights
The interested party may at any time exercise the rights referred to in art. 15 and following of the Regulations in the following ways:
a) sending an e-mail to the address: email@example.com;
b) sending a registered mail with return receipt to NMS Group S.p.A., at the following ddress: Viale Pasteur 10, 20014 Nerviano (MI), Italy, addressing the registered letter as follows: “To the attention of the External Data Processing Manager – NMS Group S.p.A.”
11. Changes to this Policy
The Data Controller of personal data processing and the Data Processor in charge of processing the data undertake to publish on Companies’ web sites of any changes to this information.
NMS Group S.p.A.
TAKING VISION OF THE PRIVACY NOTICE
I, the undersigned,
I declare that I have carefully and consciously read the information above and I agree with the
processing of my personal data, pursuant the terms and conditions as above described.
Place and date, ____________________________