Informativa completa Candidati assunzione/collaborazione

Who are we and what do we do with your personal data?

WebScience Srl, with registered office at viale Jenner 51, IT-20159, Milan (hereinafter also The Controller), as the data controller, is concerned with the confidentiality of your personal data and with guaranteeing them the necessary protection from any event that might put them at risk of being breached.  

To this end, the Controller implements policies and practices concerning the collection and use of your personal data and the exercise of your rights under the applicable legislation. The Controller takes care to update the policies and practices adopted for the protection of personal data whenever necessary and in any case in the event of regulatory and organisational changes that may affect the processing of your personal data. 

The Controller has appointed a data protection officer or data protection officer (DPO) whom you may contact if you have any questions about its policies and practices.  

You can contact the DPO at the addresses and contact details below:

How and why does the Controller collect and process your personal data?

The Controller collects and/or receives information about you, such as: 
o first name, last name 
o fixed and/or mobile telephone number 
o curricular data 
o computer data (IP addresses and data derived from the use of forms displayed online on the Controller's websites such as, for example, those in the "Work with us" section) 
o data disclosing health, if communicated by you also through your curriculum vitae or if the position for which you are applying is reserved to protected categories under specific legal obligations. 

Personal data concerning you will be processed for the following purposes 

1) personnel selection and/or the start of a collaboration


  • the search for candidates for open positions 
  • the collection of applications and curricula, which may take place by means of: staff search advertisements conveyed through recruitment agencies, temporary employment agencies, universities, advertisements in newspapers, magazines, specialised periodicals, institutional website 
  • examination of the curricula received 
  • the organisation of selective interviews 
  • placement of the successful candidate 
  • establishment of the employment/collaboration relationship. 

    Legal basis 

    Carrying out pre-contractual activities 

    Fulfilment of specific obligations Performance of specific tasks deriving from laws, regulations or collective agreements, including company agreements, in particular for the purposes of establishing the employment/collaboration relationship 

    Where foreseen, the right to rectification of the data processed or collected is reserved. 

    The data collected or in any case obtained by the Data Controller as a result of the selection procedure for positions available within its organisation, except for those relating to your health, which you have voluntarily provided, must be considered necessary and failure to provide such data will make it impossible for the Data Controller to carry out activities aimed at 
  • assessing your candidature in the personnel selection process which the Controller also carries out through its suppliers (third parties/recipients) 
  • manage the candidate selection process in all its phases and the fulfilments that follow from it.

2) for communication to third parties and for dissemination 


communication to third parties such as: 

  • private entities carrying out work administration, intermediation, personnel search and selection, training and outplacement support activities 
  • universities 
  • information and computer support companies 

    Legal basis 

    Performance of pre-contractual activities 

    Fulfilment of legal and/or regulatory obligations dependent on the activities carried out with the selection procedure 

    The Controller does not transfer your personal data abroad (non-EU countries). Your personal data will in no way be disclosed or disseminated to unspecified and unidentifiable parties, not even as third parties. 

    Communication concerns the categories of data whose transmission is necessary for the performance of the activities and purposes pursued by the Controller in the management of the selection procedure. The relevant processing does not require the consent of the data subject in the event that it is carried out in order to fulfil the obligations arising from the relationship established or in the event of any other hypothesis of exclusion (in particular the tracing of a legitimate interest on the part of the Controller), expressly provided for or dependent on the rules and regulations applied by the Controller, or even through third parties identified as data processors. Where the communication involves data capable of revealing the state of health, the relevant processing operations shall take place with all the appropriate guarantees including those that, if required on the basis of the risks detected, determine the application of pseudonymisation solutions, and/or data aggregation and/or encryption.

How, where and for how long are your data stored?


Data processing is carried out using paper media or computer procedures by specially authorised internal persons. They are granted access to your personal data to the extent and within the limits necessary for the performance of the processing activities concerning you. 

The Data Controller periodically checks the instruments by means of which your data are processed and the security measures foreseen for them, and provides for their constant updating; it checks, also through the persons authorised to process them, that no personal data are collected, processed, filed or stored whose processing is not necessary or whose purposes have been exhausted; it checks that the data are stored with a guarantee of integrity and authenticity and that they are used for the purposes of the processing actually carried out, also in view of their particular nature. The checks enable the Controller to assess the strict relevance, non-excessiveness and indispensability of the data belonging to special categories with respect to the selection procedure activities as well as to the relationship to be established, also with reference to the data you provide on your own initiative. 

The Data Controller guarantees that the data which, even following the checks, prove to be excessive or irrelevant will not be used except for the possible conservation, in accordance with the law, of the deed or document containing them. 


The data are stored in paper, computer and electronic archives, located within the European Economic Area, and specific security measures are ensured. 

How long 

We keep your personal data for as long as it is necessary to carry out the activities that concern you. 

In particular: 

identification data 

curricular data 

data disclosing your state of health, even if you provide it spontaneously 

Duration of the selection procedure and in any case no longer than __36 months.  

This is without prejudice to: 

- the limitation of processing and other guarantees provided for data belonging to special categories 

- the cancellation of personal data collected through CVs sent spontaneously or in the absence of an open position 

- the interest of the Controller to keep the data, even those you have spontaneously released, for the time necessary to evaluate the candidature also for future work/collaboration relations 

- the establishment of the employment/collaboration relationship 

Subject to possible litigation if it involves an extension of the aforementioned terms, for the time necessary to pursue the relative purpose 

Computer data (system and network access logs and/or IP addresses) 

The duration of storage depends on the presumed and/or detected risk and the detrimental consequences thereof, subject to measures to render the data anonymous or to limit its processing 

In any case, the data must be retained (starting from the knowledge/detection of the danger event or data breach) for the time necessary to notify the Supervisory Authority of the data breach detected by means of the procedures implemented by the Data Controller and in any case to remedy it 

Once all the purposes justifying the storage of your personal data have been fulfilled, the Data Controller will take care of deleting them or making them anonymous 

What are your rights?

The rights granted to you allow you to be in control of your data at all times. Your rights are those of: 

  • access; 
  • rectification; 
  • revocation of consent; 
  • erasure; 
  • restriction of processing; 
  • objection to processing; 
  • portability. 

    In essence, you may, at any time and free of charge and without any particular burden or formality, request 
  • obtain confirmation of the processing carried out by the Controller 
  • access your personal data and learn their origin (when the data are not obtained from you directly), the purposes and aims of the processing, the data of the persons to whom they are communicated, the storage period of your data or the criteria used to determine it 
  • updating or rectifying your personal data so that they are always exact and accurate; 
  • withdraw your consent at any time, if this constitutes the basis of the processing. Revocation of consent, however, does not affect the lawfulness of the processing based on the consent given before revocation; 
  • delete your personal data from the databases and/or archives, including backup archives, in the event, among others, that they are no longer necessary for the purposes of the processing or if the processing is assumed to be unlawful, and provided that the conditions provided for by law are met; and in any case if the processing is not justified by another, equally legitimate reason 
  • limit the processing of your personal data in certain circumstances, for example where you have contested its accuracy, for the period necessary for the Controller to verify its accuracy. You must also be informed, in an appropriate timeframe, when the period of suspension has expired or the cause for the restriction of processing has ceased to exist, and thus the restriction itself lifted; 
  • obtain your personal data, if they are processed on the basis of a contract and by automated means, in electronic format also for the purpose of transmitting them to another data controller. 

    The Controller shall do so without delay and, at the latest, within one month of receipt of your request. The deadline may be extended by two months if necessary, taking into account the complexity and number of requests received. In such cases, the Controller shall, within one month of receipt of your request, inform you and inform you of the reasons for the extension. 

    For any further information and in any case to send your request, please write to

How and when can you object to the processing of your personal data?

For reasons relating to your particular situation, you may object at any time to the processing of your personal data if it is based on a legitimate interest by sending your request to 

You are entitled to the deletion of your personal data if there is no legitimate reason overriding the one that gave rise to your request.

Who can you complain to?

Without prejudice to any other administrative or judicial action, you may lodge a complaint with the data protection authority, unless you reside or work in another Member State. In the latter case, or in the case where the breach of data protection legislation occurs in another EU country, the competence to receive and hear the complaint will lie with the supervisory authorities established there.