Privacy Notice For Candidates Factorial Platform

1. Introduction and scope of application

This Privacy Notice is provided pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”) and is addressed to all individuals who submit their application for employment with NICE S.p.A., having its registered office in Oderzo, Via Callalta no. 1, Italy, Tax Code/VAT No. IT 03099360269, and/or with the companies belonging to the NICE Group (hereinafter, jointly, the “Company” or the “Group”), whether in response to specific job openings or through spontaneous applications.

This Privacy Notice governs, in a single, complete and systematic manner, the processing of candidates’ personal data carried out by the Company in the context of recruitment, selection and assessment activities, as well as all activities connected with and instrumental to such processes, including the management of applications through dedicated digital tools.

In particular, the Company uses the Factorial HR platform as the sole tool for the collection, organization and management of job applications. This Privacy Notice fully replaces and supersedes any previous privacy notice relating to candidates published on the Company’s institutional website or on other application channels, which shall therefore be deemed no longer applicable.

2. Data Controller and Group governance

The Data Controller of candidates’ personal data is NICE S.p.A., with registered office in Italy, in its capacity as the parent company and as the entity responsible for defining recruitment policies, determining the purposes and means of the processing of personal data, and administering the application platform.

Each company belonging to the NICE Group acts as an independent Data Controller solely with regard to recruitment and selection processes falling within its own competence, with reference to applications submitted for job positions opened by that specific company or relating to a particular country or organisational context.

NICE S.p.A., in its capacity as parent company and administrator of the recruitment information system, also performs coordination and technical–organisational support functions in relation to the use of the Factorial HR platform, in compliance with the principles of lawfulness, fairness, transparency, data minimisation and accountability laid down by the GDPR.

Applications submitted through the platform are accessible exclusively to:

• authorised personnel of the Group company that has opened the relevant job position;
• authorised HR personnel of NICE S.p.A., strictly within the limits necessary to perform system administration, support and monitoring activities aimed at ensuring the proper functioning of the platform.

Under no circumstances are applications freely shared or circulated among Group companies for purposes other than personnel selection, unless the candidate has given explicit consent or where such disclosure is required by law.

2.1 Contact details

For any matter relating to the processing of personal data, including the exercise of the rights referred to in Section 9 below, candidates may contact:

Human Resources Department: hr@niceforyou.com.

3. Role of the Factorial HR platform – Data Processor

For the management of application and recruitment processes, the Company makes use of the Factorial HR digital platform, provided by Factorial HR S.L., which is used as a technological tool supporting recruitment activities.

Factorial HR acts exclusively as a Data Processor pursuant to Article 28 GDPR, on the basis of a specific Data Processing Agreement entered into with NICE S.p.A., and processes candidates’ personal data solely on behalf of the Company and in accordance with the documented instructions of the Data Controller.

In particular, Factorial HR:

• does not determine, in any manner, the purposes of the processing;
• does not take autonomous decisions in relation to job applications;
• does not use candidates’ personal data for its own purposes, whether commercial or for independent profiling activities.

The Company has verified that Factorial HR adopts appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in compliance with Article 32 GDPR.

4. Categories of data subjects

This Privacy Notice applies to the following categories of data subjects:

• candidates who participate in recruitment and selection processes for job positions opened by the Company;
• candidates who submit a spontaneous application through the platform;
• candidates who authorise the retention of their curriculum vitae for future employment opportunities.

5. Categories of personal data processed

In the context of recruitment and personnel selection activities, the Company processes only personal data that are relevant, adequate and limited to what is necessary in relation to the purposes pursued, in accordance with the data minimisation principle set out in Article 5(1)(c) GDPR.

In particular, the following categories of personal data may be processed:

a) Identification and contact data

By way of example and not limitation: first and last name, date and place of birth, residence or domicile address, email address, telephone number and other contact details provided by the candidate.

b) Data relating to the application and professional profile

Information contained in the curriculum vitae and in the documentation attached thereto, including:

• education and academic background;
• previous professional experience;
• technical and soft skills;
• professional qualifications, certifications and licences;
• any information relating to availability for work and professional expectations.

c) Data collected during the selection process

Data deriving from individual interviews, including interviews conducted via video call through the “TEAMS” platform, skills assessment tests (where applicable), as well as notes and evaluations formulated by the personnel involved in the selection process concerning the candidate’s suitability for the relevant position.

Such evaluations are of a professional and organisational nature and are not used for purposes that are further or incompatible with personnel selection.

d) Special categories of personal data

Pursuant to Article 9 GDPR, personal data falling within special categories (for example, data relating to health or to membership of protected categories) may be processed exclusively:

• where, and to the extent that, such data are voluntarily provided by the candidate;
• within the limits permitted by applicable law;
• for purposes strictly connected with compliance with legal obligations or with the assessment of suitability for the position.

In any event, the Company invites candidates not to include in their CV or in application-related communications personal data that are not relevant or that are excessive in relation to recruitment purposes.

e) Technical data and data relating to the use of the platform

Data connected with the use of the Factorial HR platform, such as:

• date and time of submission of the application;
• access and usage logs of the platform;
• technical identifiers necessary for the operation and security of the system.

Such data are processed for technical, security and audit purposes only and are not used for the assessment of candidates.

6. Sources of personal data (Article 14 GDPR)

The personal data subject to processing are collected primarily directly from the data subject, through:

• the completion of application forms available on the Factorial HR platform;
• the upload of the curriculum vitae and any supporting documentation;
• the information provided during interviews and interactions with the personnel involved in the recruitment process.

On a residual basis, and within the limits permitted by applicable law, the Company may process personal data obtained from publicly available sources (such as public professional profiles on employment-oriented networking platforms), solely for the purpose of verifying and supplementing the professional information provided by the candidate, and without carrying out any systematic or intrusive monitoring activities.

7. Purposes of the processing

Candidates’ personal data are processed by the Company for the following purposes, which are strictly connected to one another:

a) Management of recruitment and personnel selection processes

Assessment of applications, verification of the consistency of the candidate’s profile with open positions, and management of the selection phases, including interviews and assessment activities; where applicable, inclusion of the candidate’s data in recruitment databases for future job opportunities, subject to the candidate’s consent.

b) Performance of pre-contractual measures

Carrying out activities preliminary to the possible establishment of an employment or collaboration relationship, at the request of the candidate.

c) Compliance with legal obligations

Compliance with obligations laid down by employment law, equal opportunity regulations, mandatory placement requirements and other provisions applicable to recruitment and selection processes.

d) Management of spontaneous applications and future opportunities

Retention of the candidate’s personal data for evaluation in relation to future job positions, exclusively subject to the data subject’s consent, and within the time limits specified in this Privacy Notice.

e) Protection of the Company’s rights

Establishment, exercise or defence of a right of the Company in judicial or out-of-court proceedings, in connection with any disputes arising from recruitment and selection processes.

8. Legal basis for the processing

The processing of candidates’ personal data is based on the following legal grounds:

• Article 6(1)(b) GDPR – processing necessary for the performance of pre-contractual measures taken at the request of the data subject;
• Article 6(1)(c) GDPR – processing necessary for compliance with a legal obligation to which the Data Controller is subject;
• Article 6(1)(f) GDPR – processing necessary for the purposes of the legitimate interests pursued by the Data Controller in the effective and secure management of recruitment and selection processes;
• Article 9(2) GDPR, where applicable, with regard to the processing of special categories of personal data;
• the data subject’s consent, limited exclusively to the retention of the curriculum vitae for future recruitment opportunities.

9. Methods of processing

The processing of personal data is carried out in compliance with the principles set out in Article 5 GDPR, by means of manual, electronic and telematic tools, according to logic strictly related to the purposes indicated above.

The Company adopts appropriate technical and organisational measures to ensure:

• the confidentiality, integrity and availability of personal data;
• the protection of data against unauthorised access, disclosure, alteration or destruction;
• the traceability of processing operations.

Access to candidates’ personal data is granted exclusively to expressly authorised personnel, belonging in particular to the Human Resources function and, where strictly necessary, to the Legal and IT functions, each acting within the scope of predefined roles and responsibilities.

10. Automated decision-making and profiling

The Company specifies that it does not adopt automated decision-making processes producing legal effects concerning the candidate or similarly significantly affecting the candidate, within the meaning of Article 22 GDPR.

Any IT tools used within the Factorial HR platform may support the organisation, classification and management of applications; however, the assessment of candidates’ profiles and decisions relating to the outcome of the selection process are always carried out by authorised human personnel.

No automated profiling activity having a determinative or exclusive character with respect to recruitment decisions is carried out.

11. Security of the processing

The Company has implemented appropriate technical and organisational security measures commensurate with the risk, in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing.

In particular, measures are adopted to:

• ensure the availability and resilience of information systems;
• prevent unauthorised access and improper use of the platform;
• ensure procedures for the management of security incidents and personal data breaches.

The Factorial HR platform is selected and used following verification of the security guarantees offered by the provider and in compliance with the contractual obligations set out in the Data Processing Agreement.

12. Recipients of personal data

Candidates’ personal data may be disclosed, within the limits strictly necessary for the purposes indicated in this Privacy Notice, to the following categories of recipients:

a) Authorised internal personnel

Personal data are processed by employees and collaborators of the Company who are expressly authorised and duly instructed, belonging in particular to the Human Resources, Legal and, where necessary, IT functions, each within the scope of their respective competences and responsibilities.

b) Service providers and data processors

Personal data may be disclosed to external parties supporting the Company in the management of recruitment and selection processes and in the provision of IT services, including:

• Factorial HR, acting as Data Processor pursuant to Article 28 GDPR;
• providers of IT, cloud, hosting and information systems maintenance services.

The Company may grant subcontractors access to personal data in order to process them on its behalf and in accordance with its instructions. Depending on the specific circumstances, one or more of the following entities may act as recipients of candidates’ personal data:

• Factorial HR, HR platform, Spain
• SendGrid (Twilio), email service provider, Ireland
• Amazon Web Services (AWS), web hosting services, Germany
• Microsoft Azure, cloud services, Germany
• consultants and professionals providing organisational, administrative or legal support services to the Company.

Such entities act as Data Processors or Sub-processors, on the basis of specific contractual agreements governing the processing of personal data and providing for appropriate guarantees of confidentiality and security.

c) Public authorities and authorised bodies

Personal data may be disclosed to public bodies and authorities, supervisory authorities or control bodies, where such disclosure is required by applicable laws, regulations or orders issued by the competent authorities.

13. Transfer of personal data to third countries

Where, in the context of the use of the Factorial HR platform or other IT services, candidates’ personal data are processed or made accessible to entities located outside the European Union or the European Economic Area, such transfers shall take place exclusively in compliance with the provisions of Chapter V of the GDPR.

In particular, such transfers may be carried out:

• to countries subject to an adequacy decision adopted by the European Commission pursuant to Article 45 GDPR; or
• on the basis of appropriate safeguards, such as the Standard Contractual Clauses adopted by the European Commission pursuant to Article 46 GDPR, where necessary supplemented by additional measures capable of ensuring a level of protection essentially equivalent to that guaranteed under the GDPR.

The Company periodically verifies the adequacy of the safeguards adopted in relation to transfers of personal data to third countries.

14. Retention period of personal data (Data retention)

Candidates’ personal data are retained for a period of time that is limited and proportionate to the purposes for which they are processed, in accordance with the storage limitation principle set out in Article 5(1)(e) GDPR.

In particular, the following retention criteria apply:

a) Applications relating to specific job positions

Personal data are retained for the entire duration of the selection process and, in the event of a negative outcome, for a maximum period of 12 months from the closing of the selection process, in order to allow for any verifications and to protect the Company in the event of disputes.

b) Spontaneous applications or applications for future opportunities

Where the candidate has given specific consent to the retention of their curriculum vitae for future employment opportunities, personal data are retained for a maximum period of 12 months, unless the consent is withdrawn earlier.

c) Applications with a positive outcome

In the event that an employment or collaboration relationship is established, the candidate’s personal data become part of the documentation relating to the relationship thus established and are processed in accordance with the Company’s Employees’ Privacy Notice.

d) Technical and log data

Technical data and access logs relating to the use of the Factorial HR platform are retained for the period strictly necessary for security, audit and proper system management purposes, in compliance with internal policies and applicable law.

Upon expiry of the applicable retention period, personal data are deleted or irreversibly anonymised.

15. Rights of the data subjects

As a data subject, the candidate may exercise at any time the rights provided for in Articles 15 et seq. of the GDPR, within the limits and under the conditions laid down by applicable law.

In particular, the candidate has the right to:

• obtain confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to the personal data (Article 15 GDPR);
• obtain the rectification of inaccurate personal data and the completion of incomplete personal data (Article 16 GDPR);
• obtain the erasure of personal data concerning them, in the cases provided for by Article 17 GDPR;
• obtain restriction of processing in the cases provided for by Article 18 GDPR;
• object to the processing of personal data concerning them, within the limits set out in Article 21 GDPR, in particular where the processing is based on the legitimate interests of the Data Controller;
• receive the personal data provided in a structured, commonly used and machine-readable format, and to transmit those data to another controller, in the cases provided for by Article 20 GDPR (right to data portability).

It is understood that the exercise of the above rights may be subject to limitations in the cases provided for by Article 23 GDPR and by applicable national law.

16. Exercise of data subject rights

Data subjects may submit their communications and exercise their rights by sending a written request to the following email address: hr@niceforyou.com.

In certain cases, a request may be refused where it concerns the erasure of personal data that are necessary for compliance with legal obligations to which the Company is subject.

The Company undertakes to respond to data subjects’ requests without undue delay and, in any event, within the time limits laid down in Article 12 GDPR, namely within one month of receipt of the request, which may be extended by a further two months where necessary, taking into account the complexity and number of the requests.

Where a request cannot be granted, in whole or in part, the Company shall provide an appropriate justification, in compliance with applicable law.

17. Right to withdraw consent

Where the processing of personal data is based on the data subject’s consent, the candidate has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

The withdrawal of consent shall result in the impossibility for the Company to continue processing personal data for the purposes for which such consent was given, unless another lawful basis for processing applies.

18. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, the candidate has the right to lodge a complaint with a supervisory authority if they consider that the processing of their personal data infringes the GDPR.

The lead supervisory authority is the Italian Data Protection Authority (Garante per la protezione dei dati personali). Accordingly, the candidate may lodge a complaint with the Italian Data Protection Authority via its institutional website (www.garanteprivacy.it) or bring the matter before the competent Italian judicial authorities.

A complaint may also be lodged with the supervisory authority of the Member State in which the candidate has their habitual residence, place of work, or the place of the alleged infringement.

19. Nature of the provision of personal data

The provision of personal data marked as mandatory within the application procedure is necessary in order to enable the Company to assess the application and manage the recruitment and selection process.

Failure to provide such data may result in the impossibility of considering the application.

The provision of additional data, as well as consent to the retention of the curriculum vitae for future employment opportunities, is optional.

20. Updates to this Privacy Notice

This Privacy Notice may be subject to amendments or updates over time, including as a result of regulatory, organisational or technological developments.

The updated version of the Privacy Notice shall be made available through the Factorial HR platform and, where necessary, communicated to data subjects by appropriate means.