Privacy Notice Candidates

Privacy Notice on the Processing of the Personal Data of Candidates pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”)

Pursuant to and for the purposes of Articles. 13 and 14 of Regulation (EU) 2016/679 on the Protection of Personal Data (hereinafter “GDPR”), with this document Fondazione “Biotecnopolo di Siena” (hereinafter Fondazione) intends to provide candidates with information about the purposes, means, and scope of communication and dissemination of the personal data they provide when applying through the website, by e-mail or ordinary mail, or on an evaluation interview at Fondazione.

Regulatory References

This privacy notice is intended for individuals who, spontaneously or in response to a recruitment initiative by Fondazione, send or make available to Fondazione their curriculum vitae and additional information on their professional experience, pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 – European General Data Protection Regulation (“GDPR”).

Who Processes Personal Data

The Data Controller, i.e., the subject that determines the purposes and means of the processing of the candidate’s personal data, is Fondazione “Biotecnopolo di Siena”, Via Fiorentina no .1 – 53100 Siena (email: All Fondazione employees and/or collaborators are/shall be appointed and duly authorized to process personal data and have/shall have received appropriate operating instructions in this regard.

What Personal Data Regarding the Candidates Are Processed and What Sources Are Used

Fondazione collects/shall collect personal, contact and curricular data (i.e., relating to education, training, and professional experience) of the candidate (the “Data”). The candidate is only required to provide non-sensitive data (education, personal details, work experience), and should not provide any data revealing racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership in political parties, trade unions, religious, philosophical, political or trade union associations or organizations, nor any personal data concerning health or sex life; as regards the sensitive data of disabled workers, pursuant to the current regulations (Italian Law 68/99) on the employment of disabled people, candidates should only state that they meet qualification requirements for disability without specifying any pathology. Data are collected directly from the candidate or third parties, namely from public access sources (e.g., public lists of universities, training institutions, professional registers, etc.), or from third-party recruitment agencies, which have the candidates’ consent to share the data. In such cases, this privacy notice is provided at the time of registration of the candidate’s personal data and, in any event, no later than the first possible communication. When applying in response to a specific announcement, the data may also be processed for future search and selection of personnel, in line with the candidate’s profile.

Purposes of the Processing

The Data collected are processed to assess whether the candidate has the skills needed to be hired or to start a collaboration with Fondazione, as well as for purposes connected to or instrumental in the search and selection of candidates.

Legal Grounds for Processing

The Data are processed for personnel selection purposes and for pre-contractual/contractual activities as requested by the candidate.

Consequences of Failure to Provide the Data

The provision of the Data is optional. Failure to provide the Data shall make it impossible for the Controller to process them and hence the impossibility of carrying out selection activities, preventing the application from being considered with the aim to establish possible working relationships with the candidates.

Means of Processing

The candidates’ personal data are processed both on paper and using electronic/computer/telematic means. Processing involves the operations listed under Art.4(2) of the GDPR, namely collection, registration, organization, storage, consultation, processing, modification, selection, extraction, alignment, use, combination, restriction, communication, erasure, and destruction of data. Data processing by the Controller is not based on automated decision-making.


In addition to Fondazione employees and collaborators to whom the Data may be disclosed, they being in charge of examining applications and duly authorized by the Controller under whose supervision they operate and from whom they receive instructions, the Data may be disclosed to third parties collaborating with Fondazione for the purpose of evaluating and selecting candidates. The updated list of recipients may be requested from the Controller at

Retention Time

The Data shall be retained by the Controller on paper and using electronic means for a maximum period of 24 (twenty-four) months starting from the date of receipt of the candidate’s CV, after which the Data shall be erased.

Should a working relationship be established, the personal data shall be retained from the date of their receipt/update for such time as deemed appropriate for the management of the working relationship.

Transfer of the Data Abroad

The Data shall not be transferred outside the European Union.

Rights of the Data Subject

The candidate is entitled to contact the Controller to exercise the following rights:

  • obtain confirmation that the candidate’s Data are being processed and, where that is the case, obtain access to the Data and the information stated under Art. 15 of the GDPR (purposes of the processing, categories of personal data, categories of recipients, and data retention time);
  • obtain the rectification of inaccurate Data;
  • have incomplete Data completed;
  • obtain the erasure of the Data, as provided by law;
  • obtain the restriction of Data processing allowing the candidate to obtain, as provided by law, the marking of stored personal data with the aim of limiting their processing in the future;
  • receive the Data in a structured, commonly used, machine-readable format and transmit it to another controller (so-called data portability);
  • withdraw consent, where given;
  • object to Data processing, in whole or in part, in accordance with the law, where applicable;
  • not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the candidate or similarly significantly affects the candidate;
  • lodge a complaint, pursuant to Art. 77 of the GDPR, with the National Supervisory Authority of the Member State of the European Union where the data subject has his or her habitual residence or place of work, or where the alleged infringement of his or her right has occurred; if the Member State is Italy, the candidate may contact the Italian Supervisory Authority for the Protection of Personal Data (the Italian Data Protection Authority – Data Protection Officer, Piazza Venezia 11, IT-00187 Rome).

The foregoing rights may be exercised by sending an email to the following address:

Download privacy notice