skip-to-content-text

Careers Privacy Policy

skip-navigation-text
Careers
  • Privacy

PRIVACY STATEMENT PURSUANT TO ART. 13 OF EU GENERAL DATA PROTECTION REGULATION 2016/679 (GDPR)

Pursuant to art. 13 of EU Regulation 2016/679 (“GDPR”) the following are data controllers for staff selection processes carried out with the Cornerstone platform, each solely with reference to personal data within their competence:

  • ISTITUTO MEDITERRANEO PER I TRAPIANTI E TERAPIE AD ALTA SPECIALIZZAZIONE S.r.l., (ISMETT), with registered office in Discesa dei Giudici 4, Palermo, Italy, fiscal code, VAT number, and enrollment in the Register of Companies of Palermo n. 04544550827;
  • UPMC ITALY S.r.l., with registered office in Discesa dei Giudici 4, Palermo, Italy, fiscal code, VAT number, and enrollment in the Register of Companies of Palermo n. 04532690825, in its capacity of joint controller for personal data processing carried out at ISMETT, and controller for the processing of personal data of UPMC ITALY, Italian subsidiary of the UPMC Group in Pittsburgh (U.S.A.);
  • SALVATOR MUNDI INTERNATIONAL HOSPITAL S.r.l., with registered office in Viale delle Mura Gianicolensi 67, Rome, Italy, fiscal code, VAT number, and enrollment in the REA [Repertorio Economico Amministrativo] RM n. 09023871008.

Personal data included in your CV and any other information obtained during the selection (e.g., certifications, documents, application form, etc.) filling out the form available on the Cornerstone platform, also accessible via a link from the Controllers’ website, will be processed for the sole purpose of assessing your possible collaboration with, or hiring by ISMETT, UPMCI, or SMIH, depending on which of the companies will act as employer or on the subject with whom you will enter a working relationship.

Data will be processed using electronic tools and hard copy forms with appropriate modalities that guarantee their safety and confidentiality, thus complying with the provisions of the GDPR.

The legal basis of the processing of your common data is described in art. 6.1(b) of the GDPR ("execution of pre-contractual measures at the request of the data subject").

Your data are mandatory to evaluate your application, therefore failure to provide them may preclude this evaluation. Your curriculum vitae should only contain data necessary to assess your professional profile and should not include information defined by the GDPR as "special categories of personal data" (e.g., information on your health, political opinions, trade union membership) that require your explicit consent as legal basis for their processing under art. 9.2(a) of the GDPR, "explicit consent of the data subject to processing"). Therefore, should you require it is necessary to provide special categories of personal data, please tick the box below. If you wish to provide special categories of personal data, you may do so only with the consent provided ticking the appropriate box in the application form. The legal basis for this processing is art. 6.1(a) in connection with art. 9.2(a) of the GDPR (data subject consent).

Should no consent be provided, the special categories of data will be deemed as spontaneously included in the CV (e.g., inclusion in protected categories) and will be stored in accordance with the law only to preserve the integrity of the document containing the data but will not be used for further purposes.

With reference to career opportunities specifically addressed to individuals included in protected category, if you are included in a so-called "protected category" and you intend to avail yourself of the benefits under Law 68/99, the consent will no longer be required as data processing is carried out according to art. 6.1(b) of the GDPR ("performance of a contract to which the data subject is party") in connection with art. 9.2(b) of the GDPR ("processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data subject in the field of employment").

Finally, your judicial data may also be requested and processed (art. 10 of the GDPR) only if required to fulfill a legal obligation or if required by the terms of the Italian national collective labor agreement ("CCNL") applicable for the position for which you are applying.

In case of a spontaneous application, your personal data will be stored for a maximum period of one (1) month in the case of a paper CV, or five (5) years in the case of an electronic CV, starting from the date of receipt or from the date of communication of the last updated CV.

In case of participation in a selection, the documentation (e.g., CV, assessment forms, tests, application forms, etc.) is filed for five (5) years from the end date of the selection, to participate in other selections, and for 10 years for any protection in court of the rights of the controllers. In this case, the legal basis of the processing is art. 6.1(b) of the GDPR ("processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract") and, as regards the exemption from the prohibition of processing of special categories of personal data, by art. 9.2(f) of the GDPR ("processing is necessary for the establishment, exercise or defense of a right in court"). This period will start from the end of the year in which the call for application was published. Your personal data may be processed by employees and consultants of each data controller in charge of the staff selection, acting in compliance with specific instructions on objects and purposes of data processing. Your personal data may also be disclosed to third parties such as, for example, recruiting companies appointed data processors, and providing ancillary or instrumental services to the data controller.

In addition to accessing application profiles for its job vacancies, each controller reserves the right to access profiles for job vacancies published by the other companies of the UPMC Group - each of which designated as controller - in order to exchange information within the UPMC Group and facilitate the matching of job vacancies and job requirements based on the profiles of the candidates; the transfer of personal data of candidates within the UPMC Group is a legitimate interest of the data controller under art.6.1(f) in consideration of Recital 48 of the GDPR ("controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data").

Due to the collaboration with the UPMC Group in Pittsburgh (U.S.A.), we inform you that your data may be transferred to the United States of America. Due to the fact that legislation in the U.S.A. does not guarantee, according to EU regulations, an adequate level of personal data protection, by signing the Standard Contractual Clauses approved by the European Commission, the UPMC Group commits to enforce safety measures to protect transferred personal data. A copy of these contractual clauses can be obtained contacting the Data Protection Officer (DPO) at the addresses indicated below. The data will not be disseminated in any way.

The ISMETT DPO can be reached at: dataprotectionofficer@ismett.edu;

The UPMCI DPO can be reached at: dpo@upmc.it;

The SMIH DPO can be reached at: smih_dpo@upmc.it

As a data subject, you have the right to obtain from the data controller authorization to access, rectify or delete, and to limit or deny the processing of your personal data (art. 15 et seq., GDPR). When data processing is carried out on the basis of your consent, you may decide to withdraw it at any time. These rights can be exercised forwarding a request to the DPO at each controller at the addresses indicated above, or contacting the Internal reference persons for data processing at maggior@upmc.it and direzionesanitariaprivacy@ismett.edu. The dedicated form is available in the "Forms" section on the website of the Italian Data Protection Authority ("Garante") (https://www.garanteprivacy.it/). Data subjects deeming the processing of their personal data violates the provisions of the Regulation have the right to file a complaint to the Garante using the form available in the "Forms" section of the website www.garanteprivacy.it, as provided under art. 77 of the Regulation. Alternatively, legal action may be pursued before the competent court, as provided under art. 79 of the Regulation.

Last updated: October 2024