PRIVACY POLICY FOR HR PURPOSES
1. Purpose
This GDPR Policy outlines the obligations of Space Products and Innovation S.r.l (hereafter referred to as "the Company") regarding the collection, use, storage, and processing of personal data of employees, job applicants, and other individuals associated with the Human Resources (HR) Office. The Company is committed to protecting the privacy and data of all individuals in accordance with the General Data Protection Regulation (GDPR).
2. Scope
This policy applies to all employees, contractors, consultants, and any other parties working with or on behalf of the Company who have access to personal data processed by the HR Office. It covers all personal data handled by the Company, including data on job applicants, current and former employees, and contractors.
3. Key Definitions
-
Personal Data: Any information relating to an identified or identifiable natural person (data subject). This includes but is not limited to name, address, date of birth, identification numbers, employment details, and contact information.
-
Processing: Any operation performed on personal data, including collection, storage, use, alteration, or destruction.
-
Data Subject: Any individual whose personal data is being processed.
-
Data Controller: The entity that determines the purposes and means of processing personal data.
-
Data Processor: The entity that processes data on behalf of the Data Controller.
-
Consent: Freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they signify agreement to the processing of personal data.
4. Data Collection
The HR Office collects personal data for various purposes, including but not limited to:
-
Recruitment and selection
-
Employment records management
-
Payroll processing
-
Performance management
-
Employee benefits administration
-
Compliance with legal obligations
Data will only be collected for specified, explicit, and legitimate purposes.
The Company will ensure that the data is accurate and kept up to date.
5. Lawful Basis for Processing
Personal data will be processed by the HR Office only when there is a lawful basis to do so, including:
-
Consent: Where the data subject has given explicit consent.
-
Contract: Where processing is necessary for the performance of a contract with the data subject.
-
Legal Obligation: Where processing is necessary for compliance with a legal obligation.
-
Legitimate Interests: Where processing is necessary for the legitimate interests pursued by the Company, except where these interests are overridden by the rights and freedoms of the data subject.
6. Data Subject Rights
The Company recognizes and upholds the following rights of data subjects under GDPR:
-
Right to Access: Individuals can request access to their personal data held by the Company.
-
Right to Rectification: Individuals can request correction of inaccurate or incomplete data.
-
Right to Erasure: Individuals can request deletion of their data when it is no longer necessary or if they withdraw consent.
-
Right to Restrict Processing: Individuals can request to limit the processing of their data under certain circumstances.
-
Right to Data Portability: Individuals can request to receive their data in a structured, commonly used, and machine-readable format.
-
Right to Object: Individuals can object to the processing of their data based on legitimate interests or direct marketing.
All requests from data subjects will be handled promptly and, in any event, within one month of receipt.
7. Data Security
The Company will implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or damage. This includes:
-
Encryption of sensitive data
-
Secure storage solutions
-
Access controls and authentication procedures
-
Regular data protection training for HR personnel
8. Data Retention
Personal data will be retained only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal, regulatory, or internal policy requirements. The Company will regularly review the personal data it holds and erase or anonymize data that is no longer needed.
9. Data Breach Notification
In the event of a data breach, the Company will follow its Data Breach Response Plan, which includes notifying the relevant supervisory authority within 72 hours of becoming aware of the breach, where required. Affected data subjects will also be informed without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
10. Data Transfers
The Company will ensure that any transfer of personal data outside the European Economic Area (EEA) is conducted in compliance with GDPR, using appropriate safeguards such as standard contractual clauses, Privacy Shield certification, or binding corporate rules.
11. Third-Party Processors
The Company may engage third-party service providers (data processors) to handle personal data on its behalf. The Company will ensure that any such processors are GDPR-compliant and provide adequate guarantees to protect the data.
12. Responsibilities
-
HR Office: Responsible for ensuring that all HR-related data processing activities comply with this policy and GDPR.
-
Data Protection Officer (DPO): Overseeing the Company's data protection strategy and ensuring compliance with GDPR.
-
All Employees: Required to adhere to this policy and report any potential data protection issues to the HR Office or DPO.
13. Training and Awareness
The Company will provide regular GDPR training to all employees involved in the processing of personal data. The training will cover GDPR principles, data subject rights, and the Company’s data protection policies and procedures.
14. Review and Updates
This policy will be reviewed regularly and updated as necessary to reflect changes in legislation, regulatory requirements, or business practices.
15. Contact Information
For any questions or concerns regarding this GDPR policy or data protection practices, please contact the Data Protection Officer at hr@spinintech.com.