CANDIDATE PRIVACY POLICY

Last updated: 06 June 2025

Information regarding the processing of personal data

Pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of personal data (hereinafter “GDPR”)

PhotoSì S.p.A Unipersonale (hereinafter “PhotoSì”), represented by its legal representative pro-tempore, in its capacity as Data Controller of the personal data collected directly from the data subject, considers privacy and the protection of personal data as fundamental and invites its users to read this Policy carefully, which contains important information on Data Processing (hereinafter “Policy”).

In any event, the logical and physical security of the data and, in general, the confidentiality of the personal data processed will be safeguarded by implementing all necessary technical and organisational measures to ensure their security.

This Privacy Policy:

Applies to the websites https://www.photosi.com and https://www.albumepoca.com (hereinafter: “Website”);
Describes the processing of personal data in relation to recruiting activities, applications, and vacancies;
Does not refer to the processing of candidate data after their recruitment and during the course of their employment or collaboration.

A.1) Data Controller’s identity and contact details

Photosì S.p.A

Registered office at via Carpegna n. 22,

Riccione (47838 - RN)

Tax Code and VAT No 03550860401

Tel. +39 (0)541/609903 – privacy@photosi.com

A.2) Data Protection Officer’s contact details

The Data Protection Officer (DPO) can be reached at the following email address: dpo@photosi.com.

B) Purpose and legal basis for the processing of personal data

Your personal data will be processed, without requiring consent, for the following purposes:

Staff recruitment and selection for current and future open positions
Recruitment and selection of collaborators for open roles (e.g. content creators, etc.)
Recruiting and integrating personnel into the company
Filling role vacancies and covering for leaves of absence
Candidate profiling.

These processing activities are based on the following legal grounds:

Fulfilment of a request from the data subject – condition of lawfulness under Article 6(b) GDPR.
Pursuit of a legitimate interest of the Data Controller - condition of lawfulness under Article 6(f) GDPR - relating to the recruitment and onboarding of new employees in the company, the assessment and selection of applications, the verification of the prerequisites for recruitment and/or the start of a collaboration, or proposing job offers consistent with the data subject’s professional profile.

The provision of data marked with an asterisk (*) in the online form for the purposes referred to in the previous section is mandatory. Failure to provide this data and/or explicit refusal to allow their processing will make it impossible for the Data Controller to evaluate and consider the application.

C) Processing of special categories of personal data
With regard to the application, only common personal data will be collected. As such, candidates are not required to provide any “special categories” of personal data as defined by Article 9 of Regulation 2016/679, such as health-related data. Please, therefore, do not include any sensitive data (i.e. data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or data concerning a natural person’s sex life or sexual orientation”).
This shall not apply if such data is necessary due to the nature of the employment relationship, particularly with respect to protected category status or any pre-employment medical evaluations.
In that case, your explicit consent will be requested for the processing of any such special-category personal data for one or more specific purposes.

D) Submission of video content as part of the application
As part of the selection process, the Data Controller may request the candidate to submit a video (e.g. a video introduction or responses to predefined questions) solely for the purpose of evaluating the candidate’s professional profile in relation to the open position.
The video content will only be processed by authorised personnel involved in the selection process, will not be disclosed or communicated to third parties and will only be used for internal application assessment purposes.
The video will be retained for the time strictly necessary to assess the application and, in any case, will be deleted no later than 30 days after the conclusion of the selection process.

E) Categories of recipient of personal data communication
For the purposes set out in the previous paragraph, the personal data provided may be communicated or made accessible to:

Employees and collaborators of the Data Controller, in their capacity as persons authorised to process data (or known as “Data Processors”)
Third parties performing outsourced activities on behalf of the Data Controller, in their capacity as Data Processors, including:

- IT and telecommunications service providers, paper and/or digital document storage service providers, administrative and accounting service providers, employment consultants, recruitment service providers.

The full and updated list of Data Processors can be obtained by submitting a written request to privacy@photosi.com.

F) Storage and transfer of personal data abroad
Personal data are managed and stored in the cloud and on servers located both inside and outside the European Union owned by and/or at the disposal of the Data Controller and/or appointed third-party companies, duly appointed as Data Processors.
The transfer of data abroad to non-EU countries takes place exclusively within the framework of the management of information systems for requirements strictly related to the performance of recruiting activities and, in any case, in accordance with the provisions of Chapter V, GDPR.
Your personal data will not be disclosed.

G) Personal data retention period
Personal data collected in connection with your application will be processed for the time necessary to fulfil the purposes mentioned above.
If you are not selected for the position for which you have applied, we may retain your data for a longer period in order to consider your application for other suitable positions that may arise in the future. In any event, your data will not be retained for more than five (5) years from the date your initial application was submitted.
After this retention period, the data will be destroyed or anonymised.

H) Security Measures
PhotoSì has implemented appropriate technical and organisational measures to ensure the logical and physical security of data and prevent any unauthorised processing.
In particular, the following technical and organisational measures are adopted, inter alia, to ensure the security (confidentiality, integrity and availability) of personal data:

All communications between the data subject’s device browser and our website servers are carried out using secure communication protocols (HTTPS and TLS) with encryption techniques
A personnel access control policy is implemented using secure authentication procedures (MFA – Multi-Factor Authentication)
Specific procedures are adopted for managing incidents and data breaches, and in the event of a confirmed breach, we will promptly notify the data subject and/or the Data Protection Authority, in compliance with current legislation
Systems and processes are developed and managed in compliance with the data processing principles and security requirements of the GDPR.

I) Exercisable rights

In accordance with the provisions of Chapter III, Section I GDPR, you may exercise your rights set out therein, and in particular:

Right of access - To obtain confirmation as to whether or not personal data relating to you are being processed and, if so, to receive information relating, in particular, to: the purposes of the processing, the categories of personal data concerned and the retention period, and the recipients or categories of recipient to whom the personal data have been or will be disclosed (Article 15 GDPR)
Right to rectification - To obtain, without undue delay, the rectification of inaccurate personal data concerning you and the completion of incomplete personal data (Article 16 GDPR)
Right to erasure - To obtain, without undue delay, the erasure of personal data concerning you in the cases provided for by the GDPR (Article 17 GDPR)
Right to restriction of processing - To obtain restriction of processing, in the cases provided for by the GDPR (Article 18 GDPR)
Right to data portability - To receive, in a structured, commonly used and machine-readable format, personal data concerning you, and to ensure that it be transmitted to another data controller without restriction, in the cases provided for by the GDPR (Article 20 GDPR)
Right to object - To object to the processing of personal data concerning you, unless there are legitimate grounds for the Data Controller to continue the processing (Article 21 GDPR)
Right to lodge a complaint with the supervisory authority - To lodge a complaint with the Italian Data Protection Authority: Garante per la protezione dei dati personali, Piazza di Montecitorio n. 121, 00186, Roma (RM).

You may exercise these rights by simply sending a request via email to the Data Controller’s address: privacy@photosi.com.