Applications for employment and/or collaboration opportunities with ROME UNIVERSITY OF FINE ARTS require the collection of information constituting personal data pursuant to Legislative Decree No. 196/2003, as amended and supplemented (hereinafter, the “Code“), as well as Regulation (EU) 2016/679 (hereinafter, the “GDPR“).
1. Data Controller
The data controller is ROME UNIVERSITY OF FINE ARTS – Accademia Delle Belle Arti, with registered office at Via G. Gioacchino Belli, 86 – 00193 Rome, Tax Code/VAT No.: 09227921005 (hereinafter, the “Controller” or “RUFA“), and provides applicants (hereinafter, the “Applicants“) who submit an application with this privacy notice pursuant to Article 13 of the GDPR.
The Controller may be contacted at any time using the following contact details:
- by e-mail at: privacy@unirufa.it;
- by mail at: Via G. Gioacchino Belli, 86 – 00193 Rome.
2. Data Processed
The data processed through the submission and assessment of an application for employment and/or collaboration purposes include first name, last name, place and date of birth, nationality, residence/domicile (hereinafter, the “Personal Identification Data“), telephone number and e-mail address (hereinafter, the “Contact Data“), as well as any additional information contained in the Applicant’s curriculum vitae. Therefore, the Applicant shall not provide personal data belonging to special categories of personal data – such as, pursuant to Article 9 of the GDPR, data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, associations or organizations of a religious, philosophical, political or trade union nature, as well as personal data concerning health status or sex life – which, if voluntarily provided by the Applicant, will be immediately deleted.
3. Purposes and Legal Bases of Processing
The Personal Identification Data, Contact Data and all other information provided by the Applicant (hereinafter collectively referred to as the “Data“) are processed solely for the evaluation of the application.
More specifically, the Data are used to (i) assess the Applicant’s application and (ii) verify the requirements for employment and/or the commencement of a collaboration.
The legal basis for processing the collected Data is the performance of a contract to which the data subject is a party and/or the implementation of pre-contractual measures taken at the request of the data subject (Article 6(1)(b) GDPR). Where necessary, the Data may also be processed on the basis of the Controller’s legitimate interest in carrying out defensive activities or establishing, exercising or defending legal claims pursuant to Article 6(1)(f) GDPR.
4. Recipients of the Data
The Data provided may be accessed by: (i) employees and collaborators of the Controller duly authorized to process personal data pursuant to Article 29 GDPR; (ii) third parties providing ancillary or IT-related services supporting the Controller’s recruitment activities, duly appointed as data processors or acting as independent controllers; (iii) consultants engaged in dispute management and legal assistance, acting as independent controllers, where their involvement becomes necessary in relation to any disputes.
The Applicant may also request from the Controller a list of entities acting as data processors (in which case they are appointed in writing by the Controller pursuant to Article 28 GDPR and process personal data on behalf of the Controller) or as independent data controllers.
In all other cases, the Data will not be disclosed to third parties unless required to comply with requests from public authorities.
5. Place of Data Processing
The Data will be processed at the Controller’s registered office indicated above. The Data will be stored on servers and/or physical archives located exclusively within the European Union. However, should the Data be transferred outside the European Union, the Controller shall ensure that such transfer is carried out in compliance with the GDPR and, in particular, Articles 45 (Transfers on the basis of an adequacy decision) and 46 (Transfers subject to appropriate safeguards) of the GDPR.
Under no circumstances shall the Data be processed or transferred outside the European Union or to countries that do not provide adequate safeguards for the protection of personal data.
6. Processing Methods, Retention Period and Security Measures
The Controller shall process the Data with and without the aid of electronic, IT or automated tools, adopting specific logical, organizational and technical security measures to prevent data loss, unlawful or improper use and unauthorized access.
The Data shall not be processed and retained for longer than strictly necessary to achieve the purposes for which they were collected. In particular, they will be retained for a period allowing the evaluation of the application and selection of the Applicant, and in any case for no longer than one year from the date of collection, unless an employment and/or collaboration relationship is established.
Any legitimate need of the Controller or the Applicant to establish, exercise or defend legal claims shall remain unaffected, and the Data may therefore be retained beyond the above-mentioned periods.
7. Mandatory Nature of Data Provision
The provision of Data for the purposes referred to in Section 3, points (i) and (ii), is optional and left to the Applicant’s discretion, who voluntarily submits their curriculum vitae without any solicitation from the Controller. With regard to any Data subsequently requested by the Controller, failure to provide such Data will make it impossible to verify the requirements for employment and/or collaboration and, consequently, to establish a relationship with the Controller.
8. Rights of the Data Subject
Applicants, as data subjects (i.e., the individuals to whom the Data relate), are entitled to the rights granted by the GDPR. In particular, pursuant to Articles 15–22 GDPR, they have the right to request and obtain information regarding: (i) the origin of the personal data; (ii) the purposes and methods of processing; (iii) the logic applied in the event of processing carried out with the aid of electronic tools; (iv) the identification details of the controller and processors; and (v) the entities or categories of entities to whom the personal data may be disclosed or who may become aware of it in their capacity as processors or authorized persons.
Furthermore, Applicants have the right to obtain:
a) access to, updating of, rectification of, or, where interested, completion of the Data;
b) erasure, anonymization, or restriction of Data processed in breach of the law, including Data whose retention is not necessary in relation to the purposes for which they were collected or subsequently processed;
c) confirmation that the operations referred to in letters a) and b) have been communicated, including their content, to those to whom the Data have been disclosed or disseminated, unless this proves impossible or involves a manifestly disproportionate effort compared to the right being protected.
Furthermore, Applicants have:
a) the right to withdraw consent at any time where processing is based on their consent;
b) the right to data portability (the right to receive all personal data concerning them in a structured, commonly used and machine-readable format);
c) the right to object:
i) in whole or in part, on legitimate grounds, to the processing of personal data concerning them, even if relevant to the purpose of collection;
ii) in whole or in part, to the processing of personal data concerning them for advertising, direct sales, market research or commercial communication purposes;
iii) where personal data are processed for direct marketing purposes, at any time to the processing of their data for such purposes, including profiling insofar as it is related to such direct marketing.
d) where they believe that the processing concerning them infringes the GDPR, the right to lodge a complaint with a supervisory authority (in the Member State where they habitually reside, work, or where the alleged infringement occurred). The Italian supervisory authority is the Italian Data Protection Authority (Garante per la protezione dei dati personali), with offices at Piazza Venezia No. 11, 00187 – Rome (http://www.garanteprivacy.it/). To exercise these rights, Applicants may always contact the Controller using the contact details provided above.
“`