Re: Corcym opportunity

INFORMATION ON THE PROCESSING OPERATION OF PERSONAL DATA OF CANDIDATES

ONLINE APPLICATION CANDIDATES

Pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter, the "GDPR"), we inform you that the personal data you provide in order to fill in the form within the ["Careers"] section of the Company's web portal - www.corcym.breezy.hr- (hereinafter, the "Portal"), will be processed to enable you to apply for an open position of your interest. Each Corcym Group Company acts as an autonomous Data Controller exclusively for the positions it publishes, taking into account the provisions of the GDPR.

Please be advised that your application may in any case be considered for any available professional opportunity that we feel best matches your skills and experience.

DATA CONTROLLER

Company name (based on territorial competence): Corcym S.r.l. Address: Via Giovanni Spadolini 7, 20141, Milan, Italy. Email address: privacy@corcym.com ("Company").

PERSONAL DATA PROCESSED

The Company will process cd. common data, such as your first name, last name, place and date of birth, residence, e-mail address and telephone contacts, educational qualification, work experience, as well as cd. special categories of data, such as information suitable to reveal your health status (such as belonging to protected categories) and any other data you enter on the Portal (in online forms, resume, cover letter, etc.). Such data will be hereinafter referred to as "Data".

**1. LEGAL BASIS, PURPOSE AND RETENTION TIME FOR PROCESSING OPERATIONS **

PURPOSES OF THE PROCESSING

The Data will be processed with the submission of your application to one or more specific open positions and, provided that 12 months have not elapsed since your application, to also be contacted for future positions similar and/or suitable to your profile. If necessary, to demonstrate the Company's compliance and to ascertain, exercise and/or defend the Company's rights in court.

LEGAL BASIS FOR PROCESSING OPERATIONS

Performance of a contract to which you are a party (Art. 6.1(b) GDPR). Regarding special categories of data, the purpose is the need to fulfill the obligations and exercise the specific rights of the Controller or data subjects in the field of labor and social security law and social protection (Art. 9.2(b) GDPR). Common Data will be processed for Controller's legitimate interest (Art. 6.1(f) GDPR). Particular Categories of Data will be processed to establish, exercise or defend a right in court (Art.9.2(f) GDPR).

DATA RETENTION PERIOD

Your Data will be kept for 12 months after you send your application through the Portal. After that time all information will be deleted.
For compliance purposes for up to 12 years. Throughout the duration of the litigation, until the time limits for appeal actions are exhausted.

After the above retention periods have expired, the Data will be destroyed or anonymized, consistent with the technical procedures for deletion and backup.

PROVISION OF DATA AND TRANSFER OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EUROPEAN UNION

The provision of Data is necessary to send your application for search and selection activities; therefore, any refusal to provide it does not allow your CV and information to be shared and your application to be considered. Data are not subject to transfer outside the European Union. If a transfer to entities established in third countries, i.e. outside the European Economic Area, is necessary, it will be adjusted in ensuring a level of data protection substantially equivalent to that required by EU law. For more information with respect to data transfers outside the European Economic Area you may write to privacy@corcym.com.

FULLY AUTOMATED DECISION-MAKING PROCESSES

Controller informs you that as part of the selection process, no automated processes and algorithms (typically mathematical calculation factors and statistical processes) applied to a set of source personal data actually attributable to you and capable of producing effects on your legal sphere or otherwise significantly affecting your person are used.

MODALITIES OF PROCESSING OPERATIONS AND DATA RECIPIENTS

The processing of your Data is done through specific form within the Portal and stored within a specific database to which only employees of the Company have access, as well as if you have given specific consent, also by employees of the other Group Companies.

The Data may be communicated to entities operating as autonomous data controllers, such as public authorities or professional firms, or processed, on behalf of the Company, by entities that provide services functional to the pursuit of the above purposes (e.g., IT services, employee selection, Platform manager, etc.), designated data processors pursuant to Article 28 of the GDPR.

In addition, the Data are processed by the Company's employees belonging to the business functions assigned to the pursuit of the above purposes, who have been expressly authorized for processing operations and have received appropriate operational instructions.

DATA SUBJECT RIGHTS - COMPLAINT TO THE SUPERVISORY AUTHORITY

By contacting the Privacy Office by e-mail at privacy@corcym.com, data subjects can exercise the rights recognized by Articles 15-22 of the GDPR, and in particular, they can ask the Controller for access to the data concerning them, their rectification, integration or deletion, as well as, the restriction of processing operations in the cases provided for by Article 18 of the GDPR.

Data subjects, moreover, where processing operations are based on consent, have the right to receive in a structured, commonly used, machine-readable format the data, as well as, if technically feasible, to transmit them to another Controller without hindrance.

Data subjects have the right to withdraw any consent given at any time.

Data subjects have the right to object at any time, easily and free of charge, for reasons related to the particular situation, to the processing operation of the Data in cases of legitimate interest of the Controller.

Data subjects have the right to lodge a complaint with the competent supervisory authority in the member state where they usually reside or work or the state where the alleged violation occurred.

HAVING READ THE INFORMATION

I acknowledge that I have received and read the Candidate Privacy Policy.