Information regarding personal data protection pursuant to art. 13 and 14 of EU Regulation 2016/679

With this document, Mygrants S.r.l., with registered office in Via Saragozza 1 (c/o COB), 40123 Bologna, VAT No. 03609451202, email privacy@mygrants.it, in its capacity as Data Controller (hereinafter referred to as the “Company” or “Data Controller“), provides common information regarding the processing of personal data carried out in the context of its own corporate website, which is accessible online at:https://mygrants.it/ (hereinafter referred to as the “Website“). It should be noted that this information is provided only with regard to the Company’s website, and not for other websites which may be consulted through hypertext links published on the Website and leading to resources which fall outside of the Company’s domain. For the provision of certain services, specific information may be published on the relevant pages of the Website, of which this document is an integration.

1. Categories of users and personal data processed

The Data Controller processes data belonging to:

i. natural persons (hereafter referred to as “Trainee(s)“), who access the Website and voluntarily register in order to use the Data Controller’s web services aimed at identifying all potential talents (mainly among immigrants) and at facilitating their placement on the job market according to their employment needs, while offering them a personalized training course to strengthen and update their skills (hereinafter referred to as “Services“);

ii. other natural persons who visit the Website without accessing the sections reserved to Trainees (hereinafter referred to as “Other Users“).

(hereinafter, Trainees and Other Users will be jointly referred to as “Users“).

The following data is processed:

a. with exclusive reference to the Trainees:

a.1.) common data, such as:

· personal data, contact details (including electronic modes) and bank details;

· citizenship and possible immigrant status as well as additional “ordinary” information relating to this status (such as, for example, transit regions);

· data relating to education (qualifications, language skills, etc.) and professional experience;

· professional and personal skills (including the goals achieved within the Data Controller’s business) and areas of interest;

· further information denoting a situation of particular vulnerability (such as possible refugee status; having been subjected to imprisonment during the trip to Europe; acts of persecution suffered, etc.) which does not fall under a special category pursuant to art. 9 of the GDPR or relate to criminal convictions and crimes pursuant to art. 10 of the GDPR

(hereinafter referred to as “Ordinary Personal Data“)

a.2) geolocation data: The Website can collect geographic location data (thus allowing the identification of the Trainee’s device geographical position in real time) using only the IP address (hereinafter, referred to as “Geolocation Data“)

a.3.) special data, such as:

· information related to refugee status (for example, why asylum was requested);

· any information relating to racial or ethnic origin;

· any health-related information.

(hereinafter referred to as “Special Personal Data“).

b. with reference to all Users:

b.1.) Browsing data: The IT systems and software procedures used to operate the Website acquire, during their normal activity, some personal data whose transmission is implicit in the use of Internet communication protocols. This category of data includes IP addresses or domain names of computers and terminals used by users, the URIs/URLs (Uniform Resource Identifier/Locator) of requested resources, the time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code showing the status of the response from the server (successful, error, etc.) and other parameters relating to the User’s operating system and computer environment.

Only for Trainees, qualitative and quantitative data related to the actions carried out on the Website (with particular reference to the training activities available), i.e. what activity the trainee has carried out, for how long etc. (hereinafter all referred to as “Navigation Data“)

b.2.) Submitted data: The optional, explicit and voluntary sending of messages by filling in the forms on the Website, as well as those sent using the Company’s contact addresses and private messages sent by Users to social media profiles/institutional pages (where this possibility is available) involves the acquisition and processing of the sender’s contact data needed to respond to said messages, as well as the acquisition of all personal data included in communications and registration forms (hereinafter, referred to as “Communicated Data“)

(all Ordinary Personal Data, Special Personal Data, Geolocation Data, Navigation Data and Submitted Data, hereinafter collectively referred to as “Personal Data“).

c. Cookies and other tracking systems: Consult the cookie policy on the Website.

2. Purpose and legal basis of data processing

PURPOSE OF DATA PROCESSING

LEGAL GROUNDS FOR PROCESSING

1.

Delivering the Services and carrying out the activities which are connected and instrumental to said delivery (such as performing “preliminary screenings” on Trainees to identify their skills and strengths and weaknesses, monitoring recorded performances, etc.) and fulfilling organizational and management activities (including sending communications relating to the Services)

1. With reference to Ordinary Personal Data: implementing pre-contractual and contractual measures (originating from the Trainee’s expression of interest in and request for access to the Data Controller’s Services).

2. With reference to Special Personal Data: consent.

2.

The fulfillment of legal obligations related to: Civil, fiscal and administrative provisions, of Community legislation, of rules, codes or procedures approved by the Authorities and other competent Institutions, as well as to follow up on requests from competent administrative or judicial authority and, more in general, from public subjects in compliance with legal formalities.

Compliance with a legal obligation to which the Data Controller is subject

3.

Asserting and defending one’s rights, including through extrajudicial initiatives and also through third parties, and preventing crimes (such as, for example, fraud, identity theft, immigration crimes, computer crimes, etc.).

Pursuit of legitimate interests by the Company.

4.

Limited to the data mentioned in par. 1, point b): The relevant processing is necessary to allow Users to access the Website and use it in an optimal way, and to manage requests received through the Website.

Implementation of pre-contractual measures taken at the request of the data subject

5.

Limited to the navigation data mentioned in par. 1 point b.1.): For purposes related to the security of the Data Controller’s systems and to obtain statistical information on the use of the Website (such as the most frequently visited pages of the Website, the average time spent on each page), as well as to check the correct operation of the Website.

Pursuit of legitimate interests by the Company.

6.

Limited to Geolocation Data, to allow the Data Controller to put the Trainees and the companies located in the same local area in contact, facilitating the placement of the Trainee on the job market.

Consent

7.

Limited to the Ordinary Personal Data of the Trainees, for the direct promotion of new services of the Data Controller.

Consent

3.Mandatory release of required data and consequences of the failure to release it

Ordinary Personal Data must be released to ensure the operational, financial and administrative delivery of the Data Controller’s Services and related professional activities. Therefore, any failure (including partial failures) to the contribution of said data prevents the Data Controller from delivering Services for the benefit of the Trainees, and from fulfilling the obligations related to said Services.

The following items of Ordinary Personal Data must be published on the Website as they are necessary in order for Trainees to access the Services offered (specifically, so that third parties can see which activities the Trainees have carried out on the platform):

PERSONAL DETAILS

  • name and surname

  • date of birth

  • residence / domicile

  • email address

  • mobile number

  • if registered with the job center

  • legal status

SKILLS

  • hard skills

  • soft skills

  • language level (IT, EN, FR)

MOBILITY

  • Italian driver’s license (category B)

  • geographic availability (or geographic flexibility)

  • hourly availability (or hourly flexibility)

  • availability for business travel

(hereinafter, the “Public Data“).

The Trainee may, however, decide each time whether they wish to make further Personal Data entered at the time of registration visible.

The release of Special Personal Data, however, is optional: Although it allows to define the profile of the Trainees with greater precision, it is not strictly necessary for the delivery of the Services and the fulfillment of the obligations which relate to said delivery.

Geolocation is optional, however, in the absence of consent to the collection of Geolocation Data, the Data Controller will not be able to identify the Trainee’s geographical area and will therefore be unable to select the companies with which to put the Trainee in contact according to the criterion of geographical proximity.

4. Data processing procedures Pseudonymization

Ordinary Personal Data and Special Personal Data are provided directly by the Trainee at the time of registration to the Website and to tests (such as the “personality quiz”), which are instrumental to the delivery of the Services.

The platform through which the Data Controller delivers its Services processes Personal Data in pseudonymized form, according to the following procedures: at the time of registration, each Trainee is assigned an alphanumeric pseudonym that will identify them within the platform and in relation to third parties.

Personal Data will be temporarily stored on the Data Controller’s server (in the cloud) and will be processed exclusively by authorized and specifically trained individuals, using both manual and IT tools.

Information relating to new services offered by the Data Controller, referred to in paragraph 2. Purposes and legal grounds for processing, n. 7, will be sent via push notifications.

5. Recipients or categories of recipients of personal data

The Users’ Personal Data may be disclosed to the following parties for all the purposes mentioned in paragraph 2:

· to those authorized to process the Data Controller’s data (employees and collaborators);

· to the Company’s third-party service suppliers (including IT, accounting, administrative, legal, insurance, banking services) who operate as data processors, as appropriate;

· to the Data Controller’s key partners involved in the creation of the Services (such as e-learning companies, companies involved in career placement projects, banking institutions who may be involved in processing credit access for the Trainees), as well as to companies that contact the Data Controller to fulfil their employment needs, and to other third parties (public and private) who interact with the Data Controller in the context of the Services (such as, for example, reception centers for asylum seekers, temporary work agencies and job centers, high schools and universities, etc.)

· to third-party companies and professionals appointed to assert the Company’s rights, interests and claims arising from its relationship with the Users;

· to State administrations, judicial or administrative authorities, public and private bodies, including after inspections and audits;

· to persons who may access data legally or under secondary or Community regulations.

In particular, all User personal data mentioned in par. 1, point b. can be communicated for the sole purposes referred to in paragraphs n. 2., n. 4., and n. 5:

· to the employees in charge of managing the Website and the IT, security and data storage systems

· to external subjects who manage and maintain the Website and who provide relevant technical services.

These data recipients will operate as data processors as appropriate.

The only category shown is that of data recipients, as it is subject to continuous updates. To view the updated list of recipients, Users may contact the Company directly by using the contact mentioned in par. 9.

6. Period of retention of personal data

Personal Data will be stored by the Data Controller for the period of time strictly necessary to achieve the purposes for which it was collected, and in particular:

Trainee
Ordinary Personal
Data

at least for the entire duration of the Services and, in any case, for a period not exceeding 10 years from Service termination With particular reference to the purpose referred to in par. 2 no. 7, Ordinary Personal Data will be kept until consent is revoked by the Trainee; in the absence of a withdrawal of consent, such data will in any case be kept for a period not exceeding 3 years from the termination of the Services and/or of any additional services provided to the Trainee by the Data Controller

Trainee
Special
Personal
Data

until the Trainee withdraws consent, following which said data will be deleted. In the absence of a withdrawal of consent, the data will be kept for as long as the Data Controller provides its Services to the Trainee

Geolocation
data

for the duration of the browsing session during which they are collected

Navigation
Data

for the duration of the browsing session and, in any case, for no longer than seven days, with the exception of system malfunction cases, when they will be kept until the problem is resolved

Communicated Data

for the time necessary to process the related request

Personal
Data which
needs to be processed due to legal obligations

for the duration set by the law

In any case, in the event of problems, anomalies or disputes (including non-judicial), data will be retained for a maximum period equal to the limitation period of the relevant actions, increased by a prudential period of six months, for the purposes mentioned in par. 2 sub n. 3, to ensure the Company’s right to defense with reference to possible legal or administrative disputes and crime prevention.

In all cases, once the respective terms have elapsed, all Personal Data will be deleted. It remains understood Personal Data may be stored for a longer period than stated above if it is relevant to pending or foreseeable disputes, if requested by competent authorities, or pursuant to the applicable legislation.

7. Transfer of personal data to another country or to an international organization

As a rule, Personal Data is not transferred abroad. However, should this become necessary for the pursuit of the aforementioned purposes, the transfer will take place in accordance with the provisions of the law.

8. Rights

Users, if circumstances arise, may, at any time and free of charge, exercise the following rights against the Company:

The right to access: allows Users to obtain confirmation from the Data Controller that their personal data is being processed and, if this were the case, to gain access to their personal data;

The right to rectification: Users can obtain the correction/integration of inaccurate/incomplete Personal Data;

The right to erasure: Users may, in the cases provided for by the legislation, obtain the erasure of their personal data;

The right to processing restriction: In the cases provided for by art. 18, paragraph 1 of the GDPR, Users may restrict the processing of their personal data (i.e. mark stored items of personal data so as to limit their future processing);

The right to data portability: In cases where data is processed automatically on the legal basis of the contract or consent, Users may receive (in a commonly used, structured format, readable on an automatic device) the personal data they have provided to the Data Controller, and have the right to transmit such data to another data controller.

In addition:

  • Users have the right to:

· object to the processing of Personal Data for the purposes mentioned in paragraphs n. 3 and 5 for reasons (which must be explained) connected to their own individual situation;

· object to the processing of Personal Data for the purpose mentioned in par. 2, no. 7, at any time, easily and free of charge;

· also, if they believe that their Personal Data is processed in violation of the provisions of the GDPR, to lodge a complaint with the national supervisory authority of the member state of the European Union in which the interested party habitually resides, works, or where the alleged violation of their rights has taken place (in Italy they may contact the Data Protection Authority, or address the appropriate judicial offices (Article 79 of the GDPR);

  • The Trainees have the right to withdraw their consent for the processing of Personal Data referred to in paragraph 2 at any time. Purposes and legal bases of data processing, n. 1.2. and n. 6, for the purposes mentioned therein. In the case of no. 6 (regarding the geolocation function), consent can be revoked by simply deactivating the geolocation function independently.

9. Contacts

To exercise all rights, Users can submit a specific request by contacting the Data Controller: