Privacy Policy “Looking for doctors and healthcare personnel”

pursuant to art. 13 of Italian Legislative Decree no. 196 of 30.6.2003 and art. 13 of EU Reg. no. 2016/679 PUBLIC NOTICE


The Welfare Directorate General of the Lombardy Regional Executive Board and the of the Social and Healthcare Service Boards/Bodies of the Lombardy Region in their capacity as Data Controllers (hereinafter, "Data Controller"), herewith inform you, pursuant to art. 13 of Italian Legislative Decree no. 196 of 30.6.2003 (hereinafter, "Privacy Code") and art. 13 of EU Regulation no. 2016/679 (hereinafter, "GDPR") that your data will be processed in the manner and for the purposes set out below.


  1. Scope of processing

The Data Controller processes the personal, judicial data and data concerning health communicated by you at the time of submission of the application for admission to the selection procedure initiated by Public Notice.


  1. Legal basis and purposes of the processing

Your personal data are processed for the purposes and in compliance with the legal basis as set out from time to time:

  1. participation in the procedure initiated by public notice and to carry out all management activities related to it:

    • with your specific express consent (articles 23 and 130 of the Privacy Code and art. 6, par. 1 letter a) of the GDPR) for data falling under special categories;

    • for the execution of pre-contractual measures (Art. 6 par. 1 letter b) of the GDPR), such as, for example, participation in tests and evaluation tests, as well as any procedures for the establishment of the employment relationship, for the management of the relationship and to respond to any requests from the data subject;

  2. to enforce and/or defend the rights of the data controller in civil, criminal and/or administrative disputes;

    • Need to ascertain, exercise or defend a right in court (current regulations and art. 9 par. 1 letter f) of the GDPR and Recital 52 of the GDPR.


  1. Type of data collected, processing methods and period of retention of personal data collected

The personal data collected through the submission of the application for participation in the selection procedure initiated by Public Notice issued by the Data Controller, as well as from the curriculum vitae and the documentation transmitted by you are as follows:

Common Data:

  • first name, last name, date of birth, place of birth, gender;

  • Tax ID No.;

  • e-mail address or certified electronic mail address;

  • mobile number/phone number;

  • home address;

  • citizenship;

  • residence permit/refugee status;

  • profession;

  • body/company you work with;

  • image;

  • further common data such as professional experience, education, publications, titles:

Data falling into personal categories (art.9 of the GDPR):

  • personal data concerning your health status (e.g. status as a protected group member); Data relating to criminal convictions and offences (art. 10 of the GDPR):

  • data relating to criminal convictions;

  • data relating to ongoing criminal proceedings.

The processing of your personal data is carried out by persons expressly and specifically designated by the Company and who operate in accordance with the instructions received by the Company.

The processing is carried out by means of the operations indicated in art. 4 of the Privacy Code and art. 4 n. 2) of the GDPR (collection, recording, organisation, storage, consultation, elaboration, alteration, selection, structuring, comparison, use, interconnection, blocking, disclosure, deletion and destruction), with or without the use of electronic means or on paper.

In both cases, the processing is carried out according to logics strictly related to the purposes indicated in point 2 and, in any case, in such a way as to guarantee the security and confidentiality of the data, in compliance with the regulations in force.

The Data Controller will process the personal data for the time necessary to fulfil the above purposes (art. 5 letter e) of the GDPR) and, in any case, for the period necessary to comply with the storage time set out in the Record Retention Policy approved by the Lombardy Region (Decree no. 11466 of 17.12.2015). The timescales will not exceed those necessary for the management of possible appeals and claims.


  1. Data access

Your data may be made accessible for the purposes set out in art. 2:

  • to employees and co-workers of the Data Controller, in their capacity as internal data processors and/or system administrators (employees of the Data Controller);

  • personnel of the Data Controller as it is appointed to the Examining Committee for the referenced procedure.


  1. Disclosure of the data

The Data Controller may disclose your data to public and private bodies, supervisory bodies, judicial authorities as well as to all other subjects whose right of access to the data is recognised by law provisions, secondary and EU regulations, as well as collective bargaining agreements (according to the provisions of the regulation for the processing of sensitive and judicial data approved by the Lombardy Region).

In any case, your personal data are not subject to disclosure, except as they may be subject to mandatory disclosure required by law.


  1. Transfer of data

Your personal data will be managed and stored both through supports and archives in paper format for use by the Data Controller's employees and on servers, located within the European Union, belonging to the Data Controller and/or third party companies

engaged and duly appointed as Data Processors. The data will not be transferred outside the European Union. It is understood, in any case, that the Data Controller, if necessary, will have the right to change the location of the servers within Italy and/or the European Union and/or to non-EU countries. Should this be the case, the Data Controller ensures that the transfer of data outside the EU will take place in accordance with the applicable law provisions and, if necessary, agreements will be entered into to guarantee an appropriate level of protection and/or the standard contractual clauses provided for by the European Commission will be adopted.


  1. Nature of the provision of data and consequences of refusal to respond the provision of data for the purposes set out in art. 2 is mandatory.

If consent is denied, it will not be possible for the Company to

enter you in the selection procedure initiated by the Public Notice and pursue the purposes indicated in point 2 of this Notice.


  1. Revocation of consent

Since the processing is based on the declaration of consent, pursuant to articles 23 and 130 of the Privacy Code and articles 6 letter a) and 7 of the GDPR, you have the right to revoke the consent given at any time by notifying the Data Controller in the manner indicated in point 11 of this notice.

Please note that the revocation of consent does not affect the lawfulness of the processing based on the consent given before the revocation.

The revocation of consent to the processing of data will make it impossible for you to participate in the selection procedure initiated by Public Notice issued by the Data Controller and all activities related to it.


  1. Rights of the data subject

In your capacity as the data subject, you have the rights set forth in art. 7 of the Privacy Code and art. 15 of the GDPR, more specifically the right to:

  • obtain confirmation as to whether or not personal data concerning you exists, even if not yet recorded, as well as the communication of such data in an intelligible form;

  • obtain indication of: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied if the data is processed with the aid of electronic means; d) the identification details of the Data Controller, data processors and the designated representative under art. 5, paragraph 2 of the Privacy Code and art. 3 paragraph 1 of the GDPR; e) of the entities or categories of entities to which the personal data may be communicated and who may come to know of the data in his/her capacity as a designated representative in the State’s territory, as a data processor or as a person in charge of the processing;

  • obtain: a) the updating, correction, or if requested, the integration of data; b) deletion, transformation in anonymous form or blocking of data processed in violation of the law, including data that need not be retained for the purposes for which data was collected or subsequently processed; c) evidence that operations in letters a) and b) have been communicated, including the exact content, to those to whom the information was disclosed, unless this requirement proves impossible or requires manifestly disproportionate measures with respect to the protected right;

  • object in full or in part, on legitimate grounds, a) to the processing of personal data concerning you, even if it is relevant to the purpose of the collection.

Where applicable, you also have the rights under articles 16-21 of the GDPR (Right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to lodge a complaint with the Data Protection Authority.


  1. How to exercise your rights and contact information of the Data Protection Officer

In order to exercise your rights as set out in this notice as well as to receive any information relating to your data, you may contact the Data Controller as follows:

Pursuant to art. 12 of (EU) Regulation 2016/679, the Data Controller shall take charge of the request and provide feedback without delay, in any case, within one month of receipt of the request at the latest. This period may be extended by two months if necessary, taking into account the complexity and number of the requests. In this case, the Data Controller will inform you of the extension and of the reasons for the delay, within one month of the request.

The exercise of the rights by the data subject is free of charge; in the event of manifestly unfounded or excessive requests, in particular, due to their repetitive nature, the data controller may charge the data subject a reasonable fee, in light of the administrative costs incurred in managing your request or refusing to act on it, as provided for by art. 12 of (EU) Regulation 2016/679, paragraph 5.