Client and Suppliers Privacy Policy

Privacy Policy for clients and suppliers (“Notice”)

Version 03, July 2020

1. Controller, joint controllers and data subjects

Reverse SpA and its German subsidiary company Reverse Deutschland GmbH (“Companies”), whose data is displayed on company websites at the following URLs https://reverse.hr, https://www.Reverse.de/ and https://reallyzation.com/ (“Site(s)”), in accordance with (EU) Regulation 2016/679 pertaining to the protection of processing individuals’ personal data, the free movement of such data and which rescinds Directive 95/46 /CE (“GDPR”), as well as the relevant national legislation on personal data protection (“National Data Protection Law”), are committed to protecting personal data (“Data”) belonging to clients or potential clients (“Clients”) who avail themselves of the Companies, including on their Sites, in order to use the service to search for and select personnel provided by the Companies (“Service”) as well as suppliers, individuals and representatives of service suppliers (legal entities) used by the Companies (“Suppliers”). The Companies are joint controllers based on a specific agreement and as a result of the data processing carried out by the subsidiary company through the IT infrastructure platform to search for and select personnel provided by the parent company Reverse S.p.A.

2. Reference to contractual discipline

For them to provide their Services, the Companies establish various legal relationships with different individuals (Candidates, Scouts and Clients). Should you wish to find out more about the Service’s contractual obligations, please refer to the relative contractual Terms and Conditions published on the Sites or which are otherwise made available to contractors.

3. Authorized processing

The data of Clients and Suppliers are processed by appropriately trained authorised data processors, who are involved in the related Data processing activities.

4. External managers/ independent data controllers and co-data controllers / processing recipients

Depending on the specific circumstances, Data may (i) be shared between Companies as joint controllers, transferred to parent and subsidiary companies for internal administrative and/or optimisation purposes, to deliver the Service, taking account of the work location (for instance, by transmitting the Data to the German subsidiary, if the work position is to be searched is in Germany or to the Italian subsidiary if the work position is to be searched in Italy) in the legitimate interest of the Companies or of third parties (Candidates and/or Clients), or (ii) be transmitted upon appointment by the Companies (and upon specific agreement) to consultants, bodies, enterprises and companies supplying services entailing Data processing.

(a) suppliers of software, applications (including CRM systems) and hardware as well as related management and support/maintenance services;

(b) suppliers of connectivity and email systems as well as related management and support/maintenance services;

(c) suppliers of external storage systems, including cloud;

(d) legal and tax advisers as well as labour consultants and accountants.

Depending on the particular circumstances or the activities performed, these parties may work as independent data controllers or as co-data controllers, should shared purposes and processing methods be established.

The Companies will provide specific information about the about the recipients at the request of the data subject.

5. Processed personal data

The processed data is made up of common data, such as the names and surnames of Clients’ or Suppliers’ company or corporate names, tax codes, VAT numbers, legal and tax addresses, any and all relevant contact information (including cell phone numbers), fax, certified e-mail (if applicable), emails and CAP. In addition, any general information needed carry out the contract, such as Client representatives’ email addresses assigned to the personnel selection office or the Supplier’s representatives, bank account details and/or any data related to the payment debit system.

For the purposes of this Policy, as the GDPR and National Data Protection Laws only refer to data held by natural people, individuals are exclusively natural people who provide services for Clients or the Suppliers regardless of their nature.

6. Purposes of the data processing and legal basis of the processing

The Companies carry out Data processing for the purposes and related legal basis outlined below:

(a) establish and engage in contractual relations with Clients and Suppliers, processing is required to execute pre-contractual measures and contractual obligations as well as to fulfil legal obligations;

(b) perform requests from Candidates who upload their CVs onto the Sites, using Clients’ contact information (particularly, the Clients’ email addresses and/or the Clients’ representatives), the processing – limited exclusively to personal data consisting of addresses and email addresses of the Clients and/or the Clients’ representatives – is based on the Service-provision contract, or, in the cases where such a contract has still to be concluded, on the legitimate interests of the Candidates for Service provision;

(c) send to the email addresses provided by the Clients informative, commercial and promotional communications relating to the Service already provided (soft spam) as part of a previous business relationship, unless the Clients have withdrawn their consent (opt-out process), in the case of soft spam, processing is based on the Companies’ legitimate interest;

(d) to send to the email addresses of Clients’ potential representatives informative, commercial and promotional communications about the Service, processing is based on consent, until consent is withdrawn.

7. Data conservation time

Without prejudice to observance of the retention period as required by law, the Clients’ and Suppliers’ data shall be stored for defensive purposes for the entire duration of the contractual relationship and shall be deleted ten years and six months after this relationship ends, unless there is a legal dispute, in which case the data will be kept for the time needed to exercise the right of defense and handle the dispute.

The data processed for the purpose mentioned under point (c) of paragraph 6 is stored and processed until the right to opt-out is exercised.

The data processed for the purpose mentioned under point (c) of paragraph 6 is stored and processed until the right of withdrawal is exercised.

8. Transferring data abroad

For internal administrative and/or optimisation purposes of the activities required to provide the Service, the Companies may transfer Data to subsidiaries based in the European Union or in the European Economic Area.

Suppliers of IT services located outside the European Union and of whose services the Companies avail themselves have adopted the Privacy Shield framework. Therefore, any data transferral takes place in compliance with the provisions of articles 44 et seq. of the GDPR.  The Companies will avail themselves of the services of suppliers compliant with the guarantees envisaged under articles 44 et seq. of the GDPR on transferral of data abroad.

9. Rights

Clients and Suppliers may contact the Companies or any external managers to exercise the rights set out in the National Data Protection Laws (where applicable) and the GDPR (articles 15 and onwards) specifically to access their personal data, request for it to be modified, updated, deleted, limited or transferred by getting in contact with the Companies at the contact data indicated above.

10. Right to opposition

Along the same procedures described above, Clients may entirely or partly object to their personal data being processed where the relevant legal basis is constituted by the legitimate interests of the Companies, pursuant to and for the purposes of the provisions of Article 21 of the GDPR.

11. Complaints

Any Client who believes that Data processing is in violation of the GDPR may file a complaint in accordance with the provisions of Article 77 of the GDPR with a supervisory authority where the Candidate normally lives or works, or to a supervisory authority where the alleged data violation occurred.

12. Amendments and updates

The Companies reserve the right to modify and/or update this Policy, including any subsequent additions and/or amendments to national and/or European Union regulations regarding personal data protection or due to possible further purposes of data processing. For this reason, this Policy is published with a progressive identification number and the month of publication, starting with the May 2018 version which displays the number “00”. Subsequent versions of the Policy will replace previous ones and will be valid, effective and applied from the date they are published on the Website.

13. Data Manager

According to a specific agreement between the Companies, the Companies have agreed to appoint a shared data manager (“Data Manager”). The Data Manager is entrusted with support and coordination of related data process activities and can act as point of contact for data subjects. Data Manager contact data are the following: Silvia Orlandini, e-mail: privacy@reverse.hr.