Dear Candidate,
pursuant to art. 13 of the General Regulation for the Protection of Personal Data (EU Regulation 2016/679 hereinafter “Regulation”), the Data Controller informs you of the following:

1. Data Controller

JotUrl Srl
Headquarter: Via Angelo Pegoraro 26, 21013 Gallarate (VA) – Milan Malpensa – Phone +39 02 87167704
Branch office: Via del Tiratoio 1, 50124 Florence – Phone +39 055 7476020
P.IVA IT06002360482
Web Site:

The Data Controller has appointed the Personal Data Protection Officer (RPD/DPO) who can be contacted at their mail.


2. Data, purpose and legal basis of the processing

The Data Controller will use your personal data, collected by sending applications via email and/or website form, to examine the candidates’ applications for the purpose of a possible contact.

The data processed as a result of sending a CV and/or a cover letter will be as follows:
– professional/work details (e.g. university attended, knowledge of foreign languages, professional qualifications, candidate expectations and desired place of work, links to your professional profiles on social networks, etc.)
– any particular categories of personal data such as belonging to protected categories, in order to comply with current legislation on the matter
If you provide us with third-party data (e.g. contact details of references) you will act as an independent data controller, assuming all legal obligations and responsibilities. In this sense, you grant the broadest indemnity on this point with respect to any dispute, claim, request for compensation for damage caused by data processing, etc. that should reach the Data Controller from third parties whose personal data have been processed through its sending in violation of the applicable personal data protection regulations. In any case, if you provide or otherwise process personal data of third parties when sending your application, you guarantee from now on – assuming all related responsibility – that this particular case of processing is based on the consent of the third party concerned or on a other suitable legal basis that legitimizes the processing of the information in question.
The legal basis identified for processing your personal data for the purposes indicated above is the following:

Search and selection: processing for this purpose serves the Data Controller to be able to take your application into consideration and is therefore necessary to be able to start the selection process in order to possibly offer you a job position. The legal basis underlying the purpose set out is represented by the pursuit of the legitimate interest of the Data Controller (art. 6 par.1 letter f of EU Regulation 2016/679).

The provision of your personal data is not mandatory, but otherwise it will not be possible to take your application into consideration. If you wish to provide particular categories of personal data (e.g. data relating to health, religion, etc.), the Data Controller will need your specific consent to be able to process them.


3. Processing Methods

The processing will be carried out both with manual and/or IT and telematic tools with organization and processing logic strictly related to the purposes themselves and in any case in such a way as to guarantee the security, integrity and confidentiality of the data themselves in compliance with the organizational, physical measures and logics envisaged by the provisions in force.


4. Data Retention

The Personal Data processed for the purposes of Search and selection will be retained by the Data Controller for the entire period in which the position for which the application was sent is still open. Your CV will be canceled 12 months after the date of receipt of the application or the closing date of the search. The Data Controller reserves the right to contact candidates before the expiry of this period to request them to extend the retention period of their personal data or to request an update. In case of failure to respond, DATA CONTROLLER will delete the personal data collected.


5. Scope of communication and dissemination of data

The subjects authorized to process the data may become aware of your data, as well as the external data processors appointed by the Data Controller (the complete list of external data processors is available from the Data Controller), responsible for managing the purposes set out above.

Your personal data may be shared with the subjects indicated below:
• subjects who typically act as external data controllers, i.e.: i) people, companies or professional firms that provide assistance and consultancy in accounting, administrative, legal, tax, financial and other matters;
• subjects with whom it is necessary to interact for the functionality of the email system (for example hosting providers or providers of platforms for sending emails);
• subjects delegated to carry out technical maintenance activities (including maintenance of network equipment and electronic communications networks);
• persons authorized by the Data Controller to process personal data necessary to carry out activities on behalf of the Data Controller, who are committed to confidentiality or have an adequate legal obligation of confidentiality (e.g. employees of the Data Controller);
• subjects, bodies or authorities to whom it is mandatory to communicate your personal data due to legal provisions, or orders from the authorities.

Your personal data will not be disclosed in any way.


6. Automated decision making

Personal Data is not subjected to processing processes that involve automated decisions without human intervention, including the profiling process.


7. Rights of data subject

According to
European Regulation 2016/679 (GDPR) and national legislation, the data subject may, according to the methods and within the limits established by current legislation, exercise the following rights:
– request confirmation of the existence of personal data concerning him (right of access);
– know its origin;
– receive intelligible communication;
– have information about the logic, methods and purposes of the processing;
– request its updating, rectification, integration, cancellation, transformation into anonymous form, blocking of data processed in violation of the law, including data no longer necessary for the pursuit of the purposes for which they were collected;
– in cases of processing based on consent, receive at the sole cost of any support, the data provided to the DATA CONTROLLER, in a structured and readable form by a data processor and in a format commonly used by an electronic device;
– the right to lodge a complaint with the Supervisory Authority (Privacy Guarantor);
– as well as, more generally, exercise all the rights recognized by the current legal provisions.

The exercise of the rights relating to the purposes set out in paragraph 2.2 letters a and b may take place by sending a request which must be addressed without any formality to the data controller, as better identified above, also via the email address of the Data Controller.

Last updated on 09/11/2023