Information on the processing of personal data for Candidates

Pursuant to regulations applicable to the protection of personal data, with particular reference to arts. 13 and 14 of (EU) Regulation 2016/679 (hereinafter the "Regulation" or "GDPR"), Beauty & Business S.p.A., with registered office at via Cesare Cantù, 1, 20123, Milan, in its capacity as Data Controller (hereinafter "B&B" or "Controller"), hereby informs you that your personal data collected for the purposes of selecting personnel will be processed in full compliance with applicable regulations, guaranteeing the rights and fundamental liberties to which you are entitled.

Origin and type of data processed

The processing of your personal data that in general are provided by you directly (by email, in hard copy, by completing the appropriate form on the Controller's website, etc.), but which can also come from third parties to whom selection activities have been entrusted (head-hunting companies, specialist personnel selection websites, etc.), is carried out by the Controller for the selection of potential candidates which whom it might establish a collaborative relationship in the form and by the means identified on a case-by-case basis, in accordance with the obligations deriving from any applicable laws. This processing concerns:

  1. a) personal details, contact details, data relating to training courses carried out (academic qualifications, training courses, etc.);
  2. b) data relating to previous professional experience, to knowledge of foreign languages, and any other information relevant for assessing your CV including payment levels, etc.;
  3. c) data from public sources such as websites, social networks (data contained in your public profile on Facebook / Linkedin, etc.), newspapers and magazines, including specialist ones, scientific publications or other documents or written material that is published or in some way freely consultable, websites specialising in job adverts and applications.

Among the aforementioned data, there may also be data that the applicable regulations consider "personal" (sensitive data). Furthermore, the Controller is required to request the data relating to criminal convictions (judicial data) for the purpose of Corporate Certification AEO. Personal/sensitive data are (pursuant to art. 9 paragraph 1 of the GDPR), for example, those that could reveal a person's state of health, membership of a political party or trade union, religious conviction, disability or ethnic origin.  Any personal/sensitive data will be processed without the need for specific consent, which will be collected when any first contact or interview occurs.  

Legal basis and purpose of processing

Your personal data, requested or acquired whether in advance or during selection activities, will be processed by the Controller for the following purposes:

  1. managing the assessment of your CV;
  2. planning and managing selection interviews, which could be in an interactive or group mode;
  3. proposing your candidature to other companies of the AlfaParf Group, to which the Controller belongs.

  These data are processed in accordance with art. 6 paragraph 1 b) of the GDPR, even sensitive data, in order to initiate activities for assessing your candidature, skills and capacities. The judicial data are processed for the legitimate interest of the Controller to maintain its AEO certification. All of the criteria established by Legislative Decree 125/91 with regard to an absence of sexual discrimination during selection will be adopted.  

Communication and distribution and security

Your data may be communicated to third parties such as trusted external companies operating, for example, in the sector of personnel selection, in skills assessment activities and, where necessary, to operational structures in the health sector of which the Controller avails itself, for reasons of a technical and organisational nature, for the management of your candidature; to external professionals as well as companies, consortia and/or other legal entities in which the Controller holds a stake or other companies of the AlfaParf Group interested in establishing a working relationship with you. These parties, companies and professionals will process your data as autonomous controllers or, when necessary, data managers duly appointed by the Controller. All employees, consultants, temporary staff and/or any other individual carrying out activities on the basis of instructions received from the Controller, pursuant to art. 29 of the GDPR, are appointed "Processors". Processors and Managers, as designed pursuant to art. 28 of the GDPR, may be given suitable operational instructions by the Controller, with particular reference to the adoption and observance of security measures, in order to ensure the confidentiality and security of data. The Controller guarantees that the security and confidentiality of your data are protected by suitable protective measures, on the basis of the provisions of arts. 5, 24 and 32 of the GDPR, in order to reduce the risks of destruction or loss, even if accidental, of data, unauthorised access, or processing not consented to or not compliant with the purposes of collection. Furthermore, as the Controller belongs to the AlfaParf Group, your data may also be processed, in the context of normal staff selection management activities, by the other companies forming part of the Group, or by individual employees thereof, for necessary organisational, administrative, financial and accounting activities that may be carried out by any of those companies in favour of the others. The Controller is nonetheless obliged to communicate data to the competent authorities, at their specific request.

Transfer abroad

Your data may be transferred outside the European Economic Area if this is necessary for managing your candidature. In this case, the recipients of the data will be subject to protection and security obligations equivalent to those guaranteed by the Controller, and only those data necessary for pursuing the established objectives will be communicated, and the applicable guarantees established by law with regard to the transfer of data to third countries will be applied.

Processing methods, storage times

Your data are collected and recorded legally and correctly, for the pursuit of the aims indicated above and in accordance with the fundamental principles established by applicable regulations. The processing of personal data may take place by means either of manual or of computer-based and electronic tools, but always under the protection of technical and organisational measures suitable for ensuring security and confidentiality, in particular in order to reduce the risks of destruction or loss, even if accidental, of data, of unauthorised access, or of processing not consented to or not in accordance with the purpose of collection. Personal data will be processed by the Controller for the entire duration of the selection process and will be stored for 12 months, after which they will be deleted.

Nature of data provision and consent for processing

As indicated above, the provision of your data is obligatory, as it is necessary for the pursuit of the purposes set out in point 1 letters a) and b) in relation to the selection of staff. However, the provision of your personal data for the purposes set out in point 1 letter c) is optional, and you can freely decide whether to provide specific consent when any first contact or interview occurs, consent that you can always withdraw. If your CV contains personal/sensitive data, processing these may require the consent that must be issued in the established forms.

Your rights

You can at any time exercise the rights given to you by law:

  1. to access your personal data, obtaining evidence of the objectives pursued by the Controller, of the categories of data involved, of the recipients to whom the data may be communicated, of the applicable storage period, and of the existence of automated decision-making processes;
  2. to obtain, without delay, the correction of any inaccurate personal data concerning you;
  3. to obtain, in the specified cases, the deletion of your data;
  4. to obtain a limitation of processing or to object to processing, in the cases established by law;
  5. in the case of automated decision-making processes, including profiling, to object if the conditions established by law apply;
  6. to request the transfer of data that you have provided to the Controller, i.e. to receive them in a structured format, for common readable use by an automated device, including for transferring these data to another controller, without any impediment from the Controller, in the cases established by law;
  7. to make claims to the Personal Data Protection Authority.

To exercise these rights, contact the personal data Controller by email, at

Personal data Controller

The data Controller, pursuant to applicable regulations, is B&B S.p.A., with registered office at via Cesare Cantù, 1, 20123, Milan.


Yours faithfully

The Data Controller

B&B S.p.A.