Recruitment Privacy Notice

1.Who we are (Data Controller)

We are DATAFLOW SECURITY S.p.A., with a registered office at Via Portici Lunghi 73, 36061 Bassano del Grappa, Italy (“DATAFLOW”, “we”, or “our”).

For the processing activities described in this notice, DATAFLOW acts as the data controller.

Privacy contact (DPO): [email protected]

Depending on how you apply and how the process develops, we may process some or all of the following.

a) Data you provide directly

This may include:

• identification and contact details (name, email, phone number, country of residence, address);
• CV/resume, cover letter, education, qualifications, languages, work history, skills, certifications, portfolio links, salary expectations, availability, and interview notes;
• Information collected from the online candidate’s profile (E.g. LinkedIn, Twitter etc.);
• Information required directly (other background information not included in the CVs);
• referral information and references you choose to provide;
• any other information you include in your application materials.

Providing your data is voluntary, but if you do not provide the information we need, we may be unable to consider you for a role or proceed with the hiring process.

If you share personal data relating to third parties (such as referees or your familiar personal data), you are responsible for ensuring you are authorised to do so. You assume all the obligations and responsibilities prescribed by the law, conferring the widest indemnity with respect to any dispute, claim, request for compensation for damage, etc. that we may receive from third parties whose personal data were transmitted by you and therefore processed in violation of the applicable data protection laws.

b) Special categories of personal data

Your application may contain special categories of personal data (e.g., health, disability of oneself or a family member, racial or ethnic origin, religious beliefs, trade union membership). Please do not include such data unless strictly relevant to the role or required by law — for example, where the role is reserved for protected categories, you request reasonable accommodation, or processing is necessary for employment or social protection purposes. The collection of sensitive data is necessary to establish the relationship, or justified by determined and legitimate purposes, the processing will be based on fulfilling the obligations and exercising ours or your specific rights in the field of labor law and social security and social protection.

If such data is not relevant, we will not use it for evaluation.

c) Data from recruitment partners or referrers

We may receive your data from head-hunters, external recruiters, recruiting platforms, professional networking platforms, or employee referral sources. Where we receive your data from a third party, we expect that party to have a valid legal basis for sharing it with us.

d) Data from public professional sources

Where permitted by law, we may collect or supplement your data using publicly accessible professional sources (such as professional profiles, portfolios, publications, or professional directories), where relevant to assessing suitability or verifying your application.

e) Browser and device data

If you apply through our website, we may process technical data about your browser or device. See the privacy and cookie information at https://dfsec.com.

We collect personal data directly from you, from recruitment partners or referrers, from public professional sources, and from our website or application tools when you interact with them.

a) To manage and assess your application

This includes receiving and reviewing your application, contacting you, arranging interviews, evaluating your qualifications and suitability, keeping records of the process, and responding to your questions.

Legal basis: necessary to take steps at your request prior to potentially entering into an employment or other working relationship.

b) To comply with legal obligations

Legal basis: compliance with a legal obligation to which we are subject.

c) To protect our legitimate interests

This includes protecting our company, personnel, systems, and services; preventing fraud and security incidents; verifying application information using limited public professional sources; and defending legal claims.

Legal basis: our legitimate interests in maintaining a secure recruitment process, protecting our business, and verifying information relevant to recruitment.

d) To retain your data for future opportunities

Where permitted by law, we may retain your application after a selection process ends to consider you for future relevant roles. This is particularly important in our sector, where qualified candidates with the specialised expertise we require are scarce.

Legal basis: our legitimate interest in maintaining a pipeline of qualified candidates for highly specialised roles. You may object at any time (see Section 8), and we will cease retention unless we demonstrate compelling legitimate grounds.

We process personal data using organisational, electronic, and manual means, with appropriate security measures. Your data may be reviewed by authorised personnel and, where relevant, combined with information from recruitment partners or public sources.

Automated tools and human review

We may use tools that support recruitment administration, organisation, scheduling, and review of candidate information. We do not make hiring decisions based solely on automated processing that produces legal effects or similarly significant effects. Final recruitment decisions involve human assessment.

We may share your data with:

• authorised personnel within DATAFLOW, subject to confidentiality obligations
• service providers / data processors acting on our behalf (hosting, HR technology provider, security provider, professional advisors, recruitment agencies under our instructions)
• public authorities, regulators, law enforcement, or courts where required by law or necessary for legal claims.

We require our data processors to act only on our instructions with appropriate contractual safeguards.

Some recipients may be located outside the European Economic Area (EEA). Where we transfer data outside the EEA, we rely on appropriate safeguards such as European Commission adequacy decisions or Standard Contractual Clauses with any required supplementary measures.

Contact [email protected] for more information on the transfer mechanisms we use.

• Active recruitment files: for the duration of the process and for 5 (five) years afterward for evaluation and administration.
• Unsuccessful candidates / talent pool: for up to five years from when the data was shared with us or last updated, where justified by our ongoing recruitment needs and the difficulty of sourcing highly specialised technical profiles.
• Legal compliance and disputes: as long as required by law or to establish, exercise, or defend legal claims.

You may request deletion before the end of the applicable retention period.

9. Your rights

Subject to applicable law, you may:

• Access your data and related information
• Rectify inaccurate or incomplete data
• Erase your data in the cases provided by law
• Restrict processing in the cases provided by law
• Port the data you provided in a structured, commonly used, machine-readable format (where applicable)
• Object to processing based on our legitimate interests, on grounds relating to your particular situation. We will stop unless we demonstrate compelling legitimate grounds or the processing is necessary for legal claims
• Withdraw consent at any time where processing is based on consent (without affecting prior lawfulness)
• Contest automated decisions and request human intervention, where applicable

How to exercise your rights: contact [email protected]. We will respond within one month, extendable by up to two further months where necessary. The response time required by European legislation to which we are subject is 1 month from your request (extendable up to a further 2 months in case of particular complexity). You can also contact the HR Partners who shared your application with us (e.g. LinkedIn) by writing to them.

Supervisory authority: you may lodge a complaint with the competent supervisory authority, including the authority where you live or work. In Italy: Garante per la protezione dei dati personali, at any time you can also contact the competent Supervisory Authority or the one of your country whose contact details are available here https://edpb.europa.eu/about-edpb/board/members_en

10. Scope

11. Changes

We may update this notice from time to time. The version on our website is the current version. We will provide appropriate notice of material changes where required by law.