Privacy policy

Privacy Policy
1. Data Controller
Global Tech Force S.r.l.s., Via Corte dei Mesagnesi 30, 73100 Lecce (LE), Italy, VAT No. 05309780756, PEC email: [email protected]

2. Categories of Data Processed via the Website
Navigation data and technical logs: (e.g., IP addresses, date/time, requested URLs).
Data provided via forms/email/telephone: Identification and contact details, message content, attachments.
Applications and CVs (including spontaneous ones): Personal details, contact information, education, experience, references.
Interactions with third-party links (e.g., LinkedIn): When the user accesses LinkedIn, the relative processing is carried out by LinkedIn as an independent data controller, according to its own privacy policy.
3. Purposes and Legal Bases for Processing
Website management, security, maintenance, and prevention of abuse/fraud: Legitimate interest of the controller [Art. 6, para. 1, letter f, GDPR].
Responding to contact requests sent via website channels: Execution of pre-contractual measures and/or legitimate interest [Art. 6, para. 1, letters b and/or f, GDPR].
Receipt, management, and evaluation of applications and CVs; creation of talent pools: Pre-contractual measures and/or legitimate interest [Art. 6, para. 1, letters b and/or f, GDPR].
Legal obligations related to post-hiring phases: Legal obligation [Art. 6, para. 1, letter c, GDPR].
Defense of rights in judicial/extrajudicial proceedings: Legitimate interest [Art. 6, para. 1, letter f, GDPR].
4. Processing Methods and Security Measures
Data is processed using IT tools and, if necessary, paper format, according to measures appropriate for ensuring confidentiality, integrity, availability, and resilience.

5. Retention Periods
Contacts: For the time necessary to provide a response and for a further period proportionate to the purposes and legal protection.
Applications for ongoing selections: For the duration of the selection process and, if necessary, further for legal protection.
Talent pool/future applications: For a defined and communicated period, proportionate to the purpose; for example, up to 24 months from collection, unless there is opposition/revocation or documented needs in the processing register.
6. Special Categories of Data (Art. 9 GDPR)
Users are requested not to include data in their CVs or messages capable of revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic/biometric data, health, sex life, or sexual orientation, unless strictly necessary for specific selections. If provided and necessary, such data will be processed only if one of the conditions of Art. 9, para. 2 GDPR applies (e.g., employment and social security obligations, establishment/exercise/defense of a right, explicit consent), with appropriate safeguards.

7. Recipients and Categories of Recipients
IT providers, hosting, maintenance, security, system administrators, ATS (Applicant Tracking System) providers, consultants/professionals; public entities for legal obligations. These subjects operate as data processors pursuant to Art. 28 GDPR or as independent controllers, depending on the case.

8. Data Transfers outside the EEA and LinkedIn links
Any transfers to third countries/international organizations will take place in compliance with Art. 44 et seq. GDPR, indicating the guarantees (adequacy decisions, BCR, SCC) and the means to obtain a copy. Links to LinkedIn refer to an independent controller: please refer to their respective privacy policy.

9. Information Provided to Data Subjects and Transparency
Information is provided in a concise, transparent, intelligible, and easily accessible way, using simple and clear language; requests are processed without undue delay and within one month (extendable by two months in complex cases). A dedicated cookie policy is available.

10. Rights of the Data Subject
Data subjects may exercise the following rights: access, rectification, erasure (deletion), restriction, portability, opposition; withdrawal of consent (where applicable); complaint to the Supervisory Authority (Garante) and judicial appeal.

11. Provision of Data
Providing data in contact forms is necessary to receive a response; to apply, it is necessary to provide the minimum data required for evaluation. Failure to do so will make it impossible to process the request or evaluate the application.

12. Automated Communications and Decisions
As a rule, decisions based solely on automated processing, including profiling, which produce legal effects or significantly affect the data subject, are not adopted. If provided for in specific selection procedures, meaningful information will be provided regarding the logic used and the anticipated consequences.

13. DPIA and Privacy by Design/by Default (where applicable)
The controller applies data protection by design and by default; it assesses the possible need for a DPIA (Data Protection Impact Assessment) in the presence of high-risk processing; the DPIA describes the processing/purposes, necessity/proportionality, risks, and mitigation measures.

14. Contacts for Exercising Rights
For privacy requests: email [email protected] or the postal address of the controller (Global Tech Force S.r.l.s., Via Corte dei Mesagnesi 30, 73100 Lecce).

15. Updates to the Policy
This policy may be updated to reflect regulatory or organizational changes; changes will be published on the site with an indication of the date of the last update.