PRIVACY NOTICE FOR CANDIDACIES

With this policy, as prescribed by the current legislation on the protection of personal data (art. 13 General Data Protection Regulation, hereinafter also GDPR), BKT Europe Srl (hereinafter also the "Data Controller" or "Company") provides job applicants (referred to as "data subjects") with information relating to the processing of their data.

WHO IS THE CONTROLLER AND HOW TO CONTACT THEM

The Processing Controller is BKT Europe Srl, represented by its pro tempore legal representative, with registered office in Viale Bianca Maria 25, 20122 Milan, and operating office in Viale della Repubblica 133, 20831 Seregno (MB), VAT number 05404270968. The Company can be contacted at the email address [email protected]

WHAT DATA IS PROCESSED

The data processed are the identification and curricular data, provided by the data subject through the form on the site and the file upload system made available. The collection will only cover common data. Therefore, the candidate must not indicate particular personal data – i.e. data which may reveal racial and ethnic origin, religious, philosophical or other beliefs, political opinions, membership of political parties, unions, associations or organisations of a religious, philosophical, political or union nature, as well as data which may reveal health status and sex life – which in any case, should they be transferred, will be immediately cancelled.

WHAT ARE THE PURPOSES AND LEGAL BASES OF THE PROCESSING?

The data supplied by the data subject is processed solely to assess their candidacy.

More specifically, the data is used to:

examining the candidacy application of the data subject;

proceed to verify the conditions for hiring and/or starting a collaboration.

The legal basis for the processing of the data collected is the execution of pre-contractual measures, preparatory to the establishment of the employment or collaboration relationship.

Should it be necessary, the data can also be used in regard to the Controller's legitimate interest to defend themselves or to enforce or defend a right before the courts.

WHO CAN SEE THE DATA?

The data will be processed by employees of the Controller who are authorised to process it.

The data may be accessible to theParent Company based in India as an independent controller in view of the legitimate interest of the controller to collaborate with the other companies of the group in the case of open positions and the advantage that the data subject can derive from the contact aimed at evaluating the proposed candidacy.

The data may be seen by the competent Authorities in the case of specific requests which the controller is legally required to implement, by consultants or companies which provide IT supplies and assistance, by the parent company for the email service, by the supplier used to manage the form and by the consultants for managing disputes and for legal assistance should there be disputes which make their involvement necessary.

It is noted that some of the indicated subjects operate as data processors and that communication to people who operate as autonomous controllers is undertaken because it is prescribed by legal obligations or needed to fulfil the obligations arising from the contractual relationship or the controller's legitimate interest which consists of maintaining the security of IT systems with maintenance work by qualified staff and in undertaking defensive action through legal consultants.

The data subject may request a detailed list of the recipients of the data from the Data Controller, to the extent that it is possible to specifically identify them.

Communication is in any case limited to the sole categories of data the transmission of which is necessary to undertake the activities and purposes being pursued.

HOW IS THE DATA MANAGED?

The data collected are processed with IT tools and on paper, in compliance with the security obligations prescribed by current legislation to prevent the loss of data, illicit or incorrect use and unauthorized access.

Retention period

The data will be conserved by the Controller for the time needed for the obligations envisaged for the selection and assessment of the candidate and in any case for no more than one year from its collection, without prejudice to the possible establishment of the employment and/or collaboration relationship.

This is without prejudice to any defensive needs, so the data may be stored even beyond the terms indicated.

Transfer of data abroad

The data will be transferred outside the European Union and the European Economic Area (India) in the absence of adequacy decisions from the EU Commission, but the transfer will be assisted by appropriate safeguards; in particular, standard contractual clauses will be used with additional contractual measures.

WHAT HAPPENS IF THE DATA IS NOT PROVIDED?

The provision of data is optional and is left to the will of the candidate who decides to send his or her CV and application request. Failure to transfer the data makes it impossible to verify the grounds for recruitment and/or starting collaboration and, so the possible establishment of the relationship with the Controller.

WHAT ARE THE DATA SUBJECT'S RIGHTS?

The law recognises for the data subject the right to ask the processing controller for access to the personal data and its rectification or cancellation or limitation of the processing regarding them or to object to its processing, as well as the right to data portability.

The data subject may assert their rights at any time, without formalities, by contacting the processing controller through the email address [email protected].

Here below is a breakdown of the rights recognised by the law in force on the protection of personal data.

The right of access, i.e. the right to obtain from the Data Controller confirmation that processing of personal data regarding the data subject is or is not happening and, if so, to obtain access to the personal data and to the following information: a) the purposes of the processing; b) the categories of personal data in question; c) the recipients or the categories of recipients to whom the personal data has been or will be communicated, in particular if recipients in other countries or international organizations; d) when possible, the retention period of the personal data envisaged or, if not possible, the criteria used to determine this period; e) the existence of the data subject's right to ask the Data Controller to rectify or cancel personal data or to limit the processing of the personal data regarding them or to oppose its processing; f) the right to lodge a complaint to a supervisory authority; g) should the data not be collected from the data subject, all the information available on its origin; h) the existence of an automatic decision-making process, including profiling and, at least in these cases, significant information on the approach used, as well as the importance and consequences envisaged of this processing for the data subject. Should the personal data be transferred to another country or international organization, the data subject then has the right to be informed of the existence of adequate guarantees relating to its transfer.

The right to rectification, i.e. the right to obtain from the Data Controller the rectification of imprecise personal data regarding them without unjustified delay. Taking account of the purposes of processing, the data subject has the right to integrate incomplete personal data, also by providing an additional statement.

The right to cancellation, i.e. the right to obtain from the Data Controller the cancellation of personal data regarding them without unjustified delay if: a) the personal data is no longer necessary in regard to the purposes for which it was collected or otherwise processed; b) the data subject withdraws their agreement on which the processing is based and if there is no other legal basis for the processing; c) the data subject opposes the processing undertaken because necessary to carry out a public service or connected to the exercise of public powers with which the Controller is invested or to pursue a legitimate interest and there is no prevailing legitimate reason to proceed with the processing, or opposes the processing for direct marketing purposes; d) the personal data was illegally processed; e) the personal data must be cancelled to fulfil a legal obligation envisaged by the law of the European Union or of the Member state to which the Data Controller is subject; f) the personal data was collected in relation to the company's offer of services for information to minors. The request for cancellation cannot, however, be accepted if the processing is necessary: a) to exercise the right to freedom of expression and information; b) to fulfil a legal obligation which requires processing as envisaged by the law of the European Union or of the Member state to which the Data Controller is subject or to execute a task undertaken in the public interest or in the exercise of public powers with which the Data Controller is invested; c) for reasons of public interest in the public health sector; d) for the purposes of archiving in the public interest, scientific or historic research or statistical purposes, to the extent to which cancellation risks making impossible or seriously compromising achieving the goals of such processing; or e) for verifying, exercising or defending a right in the courts.

The right to limitation, i.e. the right to obtain that the data is processed, other than for its retention, only with the agreement of the data subject or for verifying, exercising or defending a right in the courts or to defend the rights of another person or corporation or for reasons of significant public interest of the European Union or of a Member state if: a) the data subject challenges the preciseness of the personal data, for the period necessary for the Data Controller to verify the exactness of this personal data; b) the processing is illegal and the data subject opposes the cancellation of the personal data and instead asks that its use is limited; c) although the Data Controller no longer needs it for processing purposes, the personal data is necessary for verifying, exercising or defending a right in the courts; d) the data subject has opposed the processing undertaken because necessary to carry out a public service or connected to the exercise of public powers with which the Controller is invested or to pursue a legitimate interest of the Data Controller or of third parties, pending verification of the possible prevalence of the legitimate reasons of the Data Controller over those of the data subject.

The right to portability, i.e. the right to receive the personal data regarding them provided to the Controller in a structured form, for shared use which can be read by an automatic device and has the right to transmit this data to another controller without impediment by the Controller to whom they have provided the data, as well as the right to obtain direct transmission of the personal data from one controller to another, if technically feasible, should the processing be based on agreement or on a contract and the processing is carried out with automated means. This right leaves the right to cancellation unaffected.

In particular, it should be noted that the right to object, i.e. the right of the data subject to object, at any time, for reasons relating to his or her particular situation, to the processing of personal data concerning him or her because it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the pursuit of the legitimate interest of the controller or of third parties. Should the personal data be processed for direct marketing purposes, the data subject has the right to oppose at any time the processing of the personal data regarding them undertaken for these purposes, including profiling to the extent this is connected to such direct marketing.

Based on the provisions of art. 22 of the GDPR, the data subject then has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the decision a) is necessary for the conclusion or performance of a contract between the data subject and a processing controller; b) is authorised by the law of the Union or of the Member State to which the processing controller is subject, who also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; c) is based on the explicit consent of the data subject.

The data subject is then informed that, if he or she believes that the processing of his or her personal data is in violation of the provisions of the GDPR, he or she has the right to lodge a complaint with the Supervisory Authority (Article 77 of the Regulation) or to take legal action (Article 79 of the Regulation).

This privacy policy was last updated on 20 February 2026