Privacy for Candidates


For candidates

The “Data Controller”

Under Section 4 of EU Regulation 2016/679 containing the Personal Data Protection Code and the free movement of such data (henceforward referred to as “EU Regulation”), Carter & Benson S.r.l. is the Data Controller of the acquired personal data and in compliance with Article 13 of EU Regulation (“Information to be provided where personal data are collected from the data subject”) provides the following information.

The Company hereby informs you that any acquired personal data, even relating to existing legal relationships (including, by way of example but not limited to employees, collaborators, trainees, etc.) shall be undergoing processing in compliance with the above mentioned law provisions. With respect to the aforesaid processing operations, the following information is among other things hereby provided by the Controller.

“Personal data” (art. 4 number 1 EU Regulation 2016/679) means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“Processing” (art. 4 number 2 EU Regulation 2016/679)  means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

These operations shall be carried out with respect to the principles of fairness, lawfulness, transparency and for the safeguard of your confidentiality and your rights.


Collected personal data

Collected personal data shall be essentially relating to:

  • Identification data (name and surname, address, phone number, fax, e-mail, tax dates, etc.);
  • Data relating to future legal relationships (by way of example but not limited to: subordinate employment, collaboration as free lance, stage, etc.). These data may be provided directly by the subject (in n the broadest sense of the word). 
  • “Special categories” of personal data:
  • general health status (e.g. belonging to protected categories);
  • political opinions, religious or philosophical beliefs;
  • trade union membership.

Identity and contact details of the Data Controller

Company Name: Carter & Benson S.r.l.

Legal office: Foro Buonaparte 22, 20121 Milan

Telephon number: 02/80509788



Purposes of processing operations

Purposes of personal data processing are the following:

  1. Management of database and curriculum vitae of candidates with reference to research and selection of candidate in order to offer new job opportunities and management of the selection process of internal personnel, included curriculum vitae.
  2. Internal analysis (in aggregated form).
  3. Collection and management of feedback from candidates in order to improve the service.

For each of the above mentioned purposes you can find details about type of data, type of personal data and the related conservation time in the following chart:


Purpose of processing operation of personal data  Legal basis of the processing Types of personal data subject to processing Personal data retention period Type of recipient
Purpose 1 Agreement
  • Identification data 
  • Personal data
  • Special categories of personal data
5 years *
Purpose 2 Legitimate interest
  • Identification data 
  • Personal data
24 months *
Purpose 3 Agreement
  • Identification data
  • Personal data
5 years *


*Types of recipients

With reference to the above mentioned purposes, data may be communicated to the following subjects and/or subject categories, or rather be communicated to companies and/or individuals, within the EU, that provide services, also external, in name of the Data Controller. Among these ** hereafter their different categories are indicated by way of example but not limited to:

  • Consulting companies;
  • Professional firms;
  • Occupational doctor;
  • Comptent authorities or public institutions for the performance of legal obligations;
  • IT providers;
  • Authorities or Surveillance bodies;
  • Insurance companies;
  • Employment consultants.

(**) a list of external Subject/Responsible with other useful data for identification is available at the Data Controller office. 


Data transfer to third non-EU countries

The Data Controller does not transfer personal data in extra-EU countries.


Retention time

See chart 1 column 4 (personal data retention period)


Data subjects’ rights

With regard to the aforesaid processing operations, the rights referred to Section 4 of EU Regulation 2016/679 may be exercised as follow:

  • right of access by the data subject [art. 15 of EU Regulation](right to obtain from the controller confirmation as to whether or not Personal Data are being processed, and, where that is the case, access to the related information);
  • right to rectification [art. 16 of EU Regulation](right to obtain the rectification of inaccurate Personal Data concerning him or her);
  • right to erasure of Personal Data concerning him or her without undue delay (“right to be forgotten”) [art. 17 EU Regulation] (data subject shall have the right to erasure of Personal Data);
  • right to restriction of processing of Personal Data as regulated by art. 18 EU Regulation (where the processing is unlawful or the accuracy of the Personal Data is contested by the data subject )[art. 18 EU Regulation];
  • right to data portability [art. 20 EU Regulation] (data subject shall have the right to receive the Personal Data concerning him or her, in a structured format to transmit those data to another controller pursuant to mentioned article);
  • right to object to processing of Personal Data [art. 21 EU Regulation] (the data subject shall have the right to object to processing of Personal Data concerning him or her);
  • right not to be subject to a decision based on automated processing [art. 22 EU Regulation] (the data subject shall have the right not to be subject to a decision based solely on automated processing).

Further information about the data subject’s right are provided on the company website or rather asking to the Data Controller the complete extract of the above mentioned articles.

The above mentioned rights can be exercise pursuant to Regulation, thus sending an email to

Carter & Benson S.r.l., pursuant to art. 19 EU Regulation, provides to communicate any rectification or erasure of personal data or restriction of processing to each recipient, unless this proves impossible or involves disproportionate effort. 

Whereas the purpose pursued by Carter & Benson S.r.l. is based on consent, the data subject has the power to withdrawal at any time, sending and email to

Pursuant to art. 7 EU Regulation, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.


Right to lodge a complaint

The data subject, if considers that the processing of personal data relating to him or her infringes the Regulation, shall have the right to lodge a complaint with a supervisory authority, following the instructions given in the following internet page


Compulsory provision of personal data

Where the purpose of processing is based on a legal or contractual (or even precontractual) obligation, the data subject must provide the required data. Otherwise, the Data Controller will not have the possibility to pursue the specific purpose of processing.


Automated processing 

The Data Controller does not use an automated processing. 


Mechanisms of processing operations

Personal data will be processed in paper form, electronically or on-line, and inputted in the relevant databases (comprising data of clients, suppliers, administration data, etc.) which will be accessible by, and, therefore, disclosed to, explicitly appointed personnel by the Data Controller, such as Data Processors or Persons in charge of the processing of personal data, and they will be allowed to carry out reference operations, utilization, processing, compare, and any whatsoever appropriate operation, even automated, in compliance with the necessary law provisions to guarantee, among others, privacy and data protection as well as their accuracy, revision, and relevance with regard to the declared purposes.


Modifications and updates

The present circular is effective at the indicated date.

Carter & Benson S.r.l. may modify and/or integrate the document also as consequence of potential and consequent modifications and/or updates of the regulation. Any modifications will be notified and the subject will view the updated text on the website section Privacy.