Privacy Curriculum Vitae

Information on the Protection of Personal Data

(Pursuant to art. 13 et seq. Of the European Regulation no. 679/2016)

Orsana Italia S.r.l., before acquiring your personal data, invites you to carefully read the information on the protection of personal data. The personal data provided will be processed in compliance with the aforementioned legislation. This means that user data is only processed if this is legally required, that is, if in the presence of a legal obligation to process the data that the user has given his authorization or in the presence of a legitimate interest of the owner, pursuant to of the art. 6 paragraph 1 letter b of the GDPR 2016/679. Furthermore, the consent of the interested party which can be considered presumed pursuant to art. 111-bis of Legislative Decree 196/03 amended by Legislative Decree 10 August 2018.

DATA CONTROLLER Data Controller: Orsana Italia Srl, with registered office in Via Ottavio Caiazzo, 9 – 80129 Napoli (NA), Italy, who can be contacted at info@orsanaitalia.it

TYPES OF PERSONAL DATA The following types of personal data are identified: Name, Surname, place and date of birth – Telephone number – Email – Residence address. To this basic information are added all the personal information provided spontaneously as part of the curriculum vitae sent to us. The collection and processing of particular (sensitive) personal data, such as, by way of example, racial origin, political / religious beliefs and / or sexual orientation is not relevant. We therefore ask you to purge your CV of this information.

PURPOSE OF THE PROCESSING Orsana Italia Srl, guarantees that the treatments referred to in the preceding paragraph are carried out for purposes strictly connected to personnel selection activities – in compliance with the rights and fundamental freedoms of clients – and, specifically, to: evaluate the correspondence of the profile with an open position within our organization and, if necessary, to contact the candidate to proceed to an introductory meeting.

DEFINITIONS For the purposes of an easy understanding of these Regulations, some of the definitions contained in art. 4 of the EU Regulation: “ personal data “: any information concerning an identified or identifiable natural person. The natural person is considered identifiable who can be identified, directly or indirectly, with particular reference to an identifier such as the name, an identification number, location data, an online identifier or one or more characteristic elements of his physical identity, physiological, genetic, psychic, economic, cultural or social; “ processing “: any operation or set of operations, carried out with or without the aid of automated processes and applied to personal data or sets of personal data such as the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, comparison or interconnection, limitation, cancellation or destruction; “ data controller “: the natural or legal person, public authority, service or other body which, individually or together with others, determines the purposes and means of the processing of personal data; “ data processor “: the natural or legal person, public authority, service or other body that processes personal data on behalf of the Data Controller; “ recipient “: the natural or legal person, public authority, service or other body that receives communication of personal data, whether it is a third party or not; (Those public authorities who may receive communications in the context of a specific investigation in accordance with European Union law are not considered recipients). “ supervisory authority “: the independent public authority established by a member state pursuant to art. 51 GDPR “ profiling “: any form of automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to performance professional, economic situation, health, personal preferences, interests, reliability, behavior, location or travel of that natural person; “ pseudonymisation “: the processing of personal data in such a way that they can no longer be attributed to a specific data subject without the use of additional information, as long as they are kept separately entity and subject to technical and organizational measures such as to ensure that the data are not attributed to an identified or identifiable natural person; “ consent of the interested party “: any manifestation of the free, specific, informed and unequivocal will of the interested party, with which the same expresses his / her consent, by means of an unequivocal positive declaration or action, that the personal data that concern him are subject to processing; “ personal data breach “: the security breach that accidentally or unlawfully involves the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or otherwise treated.

DATA ADDRESSEES For the pursuit of the aforementioned purposes, personal data will be processed by the following subjects directly attributable to Orsana Italia Srl : employees and collaborators of Orsana Italia Srl that they will process the same with computer and paper methods, inserting them in a specific database used in the ways necessary to pursue the aforementioned purposes and within the limits established by current legislation; subjects to whom this communication must be made in fulfillment of an obligation established by law, regulation or community legislation; External partners appropriately appointed as data processors. Your data will be processed only by subjects expressly authorized by Orsana Italia S.r.l. or by companies that act as Data Processors, on behalf of Orsana Italia S.r.l., and that have signed a specific contract that punctually regulates the treatments entrusted to them and the obligations regarding data protection, and will never be disclosed. The updated list of recipients of the data is available by contacting the company at the email address: info@orsanaitalia.it

DATA PROCESSING AND STORAGE METHODS The processing will be carried out in an automated and / or manual form, in compliance with the provisions of Articles 25 and 32 of the GDPR 679/2016 on data protection, by persons specifically appointed in compliance with the provisions of art. 29. The personal data you provide are stored on PCs, servers and paper archives located in the office in Via Ottavio Caiazzo, 80129 – Naples (NA) – Italy. Adequate technical and organizational security measures will be taken continuously to protect against partial or total loss of the above data and from access by unauthorized persons. We point out that, in compliance with the principles of lawfulness, purpose limitation and data minimization, pursuant to art. 5 of the GDPR, the retention period of your personal data is established for a period necessary for the performance of the requested services and in compliance with the regulations in force regarding the conservation of fiscal, tax and contractual documentation.

TRANSFER OF PERSONAL DATA Your data will not be transferred either to third countries outside the European Union, or to international organizations, except for the need to fulfill the aforementioned purposes

RIGHTS OF THE INTERESTED PARTIES The EU Regulation 2016/679 (Articles 15 to 22) confers on the interested parties the exercise of specific rights. 1. The interested party has the right to obtain confirmation of the existence or not of personal data concerning him, even if not yet registered, and their communication in an intelligible form. 2. The interested party has the right to obtain information on: a) the origin of personal data; b) the purposes and methods of the processing; c) of the logic applied in case of processing carried out with the aid of electronic tools; d) the identity of the owner, manager and the designated representative; e) the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representatives in the territory of the State, managers or agents. 3. The interested party has the right to obtain: a) updating, rectification or, when interested, integration of data; b) cancellation ( right to be forgotten ), transformation into anonymous form or blocking of data processed in violation of the law, including data which need not be kept for the purposes for which the data have been collected or subsequently processed; c) the attestation that the operations referred to in letters (a) and (b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment proves impossible or involves a manifestly disproportionate use of means