Information Privacy Notice for the acquisition of CVs and information about candidates (by website or other means) pursuant to Article 13, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, respectively, the “Information Notice” and the “Regulation” or the “GDPR”)

In accordance with the provisions set forth by the Regulation, Aegis S.r.l., in person of its pro tempore legal representative, having its registered office in Via Gaetano Negri 8, 20123 Milan, tax code/VAT no. 03516140963, certified e-mail address: aegishr@legalmail.it, in its capacity as controller of your personal data (hereinafter, the “Controller”), which may possibly act also through Aegis UK - Recruiting & Consulting Ltd., in person of its pro tempore legal representative, having its registered office in Marlborough House, 298 Regents Park Road, N3 2SZ, London, United Kingdom, tax code/VAT no. 255 7676 63, e-mail address: aegishr@legalmail.it, in its capacity as processor of your personal data, provides you with this information notice pursuant to Article 13, GDPR, in relation to the processing of your personal data concerning you and communicated, or to be communicated, to us by you or by third parties.

The processing of personal data will be carried out under the following conditions.

1. Identity and contact details of the Controller:

Aegis S.r.l. in person of its pro tempore legal representative, having its registered office in Via Gaetano Negri 8, 20123 Milan, tax code/VAT no. 03516140963, certified e-mail address: aegishr@legalmail.it (hereinafter, the “Controller”).

2. Contact details of the Data Protection Officer (DPO)

Aegis S.r.l. has appointed a “Data Protection Officer” (“DPO”) in the person of Avv. Antonio Virgallita, who can be contacted at the following email address: privacy@aegishcg.com.

You may freely contact the DPO for any matter related to the processing of your personal data and/or should you wish to exercise your rights, as indicated and described below, by sending a written communication to the email address provided in this section.

Candidates may also report any discriminatory, unlawful or otherwise non-compliant conduct arising in the context of the selection process through the company whistleblowing channel available on the website https://www.aegishcg.com/. The personal data contained in such reports will be processed in compliance with the applicable legislation and with the specific privacy notice relating to the whistleblowing channel.

3. Purposes of the processing for which the personal data are intended and legal basis of the processing:

Your personal data will be processed:

(i) without your consent (Article 6, letters b, c, f, GDPR), for the following purposes:

-           activities related or instrumental to carrying out recruitment and selection activities for candidates and updating such searches, for current and future job positions, to be included within the organization of companies or other third-party entities for which the Controller operates, as well as to benefit from free services offered by the Controller such as, by way of example, active labour policies, courses, training, sector studies on an anonymous basis, aimed at the provision of informative and educational services by the Controller;

- communication to candidates, during the selection process and where available and/or communicated by client companies, of the initial remuneration or the salary range/band envisaged for the position subject to selection, as well as any further essential elements of the remuneration package, in line with the principles of transparency and equal treatment;

- processing of market benchmarks, statistical analyses and remuneration or sector studies, through the use of anonymized and aggregated data, so as not to allow the identification of individual candidates. Personal data may be processed only for the time strictly necessary for their anonymization or aggregation;

-           compliance with obligations provided for by Italian or foreign laws, by regulations applicable to the Controller’s business sector, by the applicable National Collective Bargaining Agreement or by other binding rules (in particular, in tax, social security and welfare, hygiene and safety at work, health protection, public order and security matters), as well as to ascertain, exercise or defend the Controller’s rights in extrajudicial and/or judicial proceedings, for the entire duration of the dispute, until the time limits for appeal actions have expired;

-           any personal data you provide that falls under special categories of data pursuant to Article 9, GDPR will be processed by the Controller, only where necessary and relevant, to evaluate your application for job positions falling within the scope of targeted employment. In this case, the legal basis for the processing is the need to fulfil the obligations and exercise the specific rights of the Controller or of the Data Subject in the field of labour law and social security and social protection, to the extent authorized by Union or Member State law or by a collective agreement pursuant to Member State law, where there are appropriate safeguards for the fundamental rights and interests of the data subject (Article 9.2, letter b, GDPR);

-           the Controller may process public information concerning your profile available on professional social networks in order to verify that the data you have provided correspond to what you have declared, limited only to professional information necessary for the sole purpose of assessing the specific risks related to the type of activity to be carried out according to the profile sought, adopting all necessary measures to ensure the proper balancing of your interests, fundamental rights and freedoms with our legitimate interest.

In application of the principles of minimization, relevance and transparency of processing, as well as the rules on pay transparency, Aegis will not ask candidates for information on remuneration received in current or previous employment relationships, nor will it carry out investigations into their salary history. Any such information spontaneously communicated by the candidate will not be used to determine the remuneration conditions of the position subject to selection, unless this is strictly necessary and permitted by the applicable legislation.

(ii) with your consent (Article 7, GDPR), for the following purposes:

-           communication of your data, including special categories of data pursuant to Articles 9 and 10 GDPR other than those relating to membership of “protected categories” that may be provided by the Data Subject, as well as any individual reports, with a concise descriptive profile drafted by the Controller following one or more interviews and the results of the assessment activities performed, to third parties that make use of the Controller’s professional services for personnel recruitment and selection;

The provision of data for the purposes referred to in section (i) above is mandatory. Failure to provide the data and/or any express refusal to processing will make it impossible for the Controller to carry out the activities for which it has been contacted or has contacted the candidate, including those related to the recruitment and selection process. As regards sector studies on an anonymous basis, the Data Subject may obtain the suspension of the sending of any questionnaires by email by making an express request to privacy@aegishcg.com.

In relation to market benchmarks and statistical studies, the results will be processed and used exclusively in anonymous and aggregated form, without identifying references to individual candidates.

The provision of data for the purposes referred to in section (ii) is optional; consequently, you may decide not to provide your consent or to withdraw it at any time. In such case, however, the Controller will not be able to provide most of the services that it normally provides to candidates, since it will not be able to communicate the personal data to third parties that make use of the Controller’s professional services for personnel recruitment and selection. If consent is given, the Controller informs you that, pursuant to Article 7, GDPR, such consent will be considered valid and effective for a period of 48 months from the date on which it was given and/or renewed, without prejudice to the Data Subject’s right to request erasure at any time and to all rights provided for by the Regulation. This term has been set by the Controller on the basis of the average duration of recruitment and selection mandates received from its clients.

4. Categories of personal data processed

The personal data processed by the Controller include, by way of example and without limitation, first name, last name, place and date of birth, tax identification number, residence, gender, company identification number, location data, an online identifier or one or more characteristic elements of your physical, physiological, genetic, mental, economic, cultural or social identity, telephone contacts, educational qualifications, work experience, any additional data you entered in the CV and/or in the questionnaire completed via web.

The data that may be processed also include information relating to the position subject to selection, including the salary range/band, job level and other remuneration elements or benefits envisaged for the role, where communicated by the client company or otherwise necessary for carrying out the selection process. It remains understood that Aegis does not request information on the candidate’s past or current salary history.

In order to achieve the above-mentioned processing purposes, in accordance with the data minimization principle set forth in Article 5, paragraph 1, letter (c), GDPR, the Controller does not need to process special categories of data, as defined by Articles 9 and 10, GDPR, concerning you and, where applicable, your family members, except for the sole sensitive data relating to membership or non-membership of so-called “protected categories”. We therefore invite you to refrain from sending to the Controller any further personal data of any kind that are not necessary for the performance of the selection procedure. If you do send such data, they will not be taken into consideration and will be immediately erased by the Controller.

We point out that any processing of the data referred to above will also take place in compliance with Article 8 of the Workers’ Statute (Law no. 300/1970, as amended and supplemented), which imposes on the employer, for the purposes of recruitment and during the employment relationship, a prohibition on carrying out investigations into workers’ political, religious or trade-union opinions, as well as into facts not relevant to the assessment of their professional aptitude. In particular, the Controller will process the personal data contained in the CV received from the candidate and in individual reports, with a concise descriptive profile drafted by the Controller following one or more interviews.

5. Categories of recipients of personal data

For the purposes referred to in paragraph 3, section (i) above, the data you provide may be made accessible to:

(i)        employees and collaborators of the Controller and/or of other subsidiaries or related entities, or entities belonging to the same corporate group to which the Controller belongs (Aegis UK, Aegis Human Consulting Group S.r.l.) and/or of other business lines of the Controller, in their capacity as persons authorized to process personal data or as processors;

(ii)       professionals and professional firms appointed by the Controller, law and consulting firms, providers of consulting and/or training and/or assessment services and, in general, third parties with which the Controller has entered into a contractual relationship for the performance of the activities referred to in paragraph 3 above, which have been duly appointed as processors pursuant to Article 28, GDPR;

(iii)      public authorities for legal compliance and supervisory purposes, public administrations, public entities and bodies (national and foreign).

6. Processing methods of personal data

The processing of your personal data is carried out by means of the operations indicated in Article 4, no. 2, GDPR - whether or not by automated means - and in particular: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, any other form of making available, alignment or combination, restriction, erasure or destruction of data.

Personal data will be processed using both traditional tools (forms, questionnaires, etc.) and computer tools. In any case, their logical and physical security and, in general, their confidentiality will be guaranteed, and any dissemination of personal data is excluded.

7. Transfer of personal data abroad

Your personal data will be processed, managed and stored on servers located within the European Economic Area and may be transferred, where necessary for the performance of the activities referred to in paragraph 3 above, to certain countries outside the European territory (UK, United States, United Arab Emirates and India). Should it be necessary to use the services of third parties located outside the European territory, we hereby inform you that:

-           the Controller has arranged to appoint these subjects as Processors pursuant to Article 28 of the Regulation, entering into a specific agreement that guarantees the transfer with adequate security safeguards and in compliance with the principles set forth by the Regulation; and

-           the transfer of your personal data to such subjects will be carried out in strict compliance with Articles 44 et seq. of the Regulation.

This ensures that all necessary measures will be adopted in order to guarantee the fullest protection of your personal data, since such transfer will be based on contractual agreements or other appropriate legal bases designed to protect your rights and interests.

Your personal data will not be disseminated.

8. Personal data retention period

Your personal data will be retained for the entire duration of the mandate received from the client for the personnel recruitment and selection for which your data were collected by the Controller and, upon expiry of such mandate (for any reason and/or cause), the data will be retained for 48 months from the last activity performed on the data, without prejudice to the Data Subject’s right to request erasure at any time.

The data used for market benchmarks, statistical analyses or sector studies will be retained in personal form only for the time strictly necessary for their anonymization or aggregation; once anonymized, the results will not allow the identification of candidates.

9. Rights of the Data Subject

In compliance with the provisions of Chapter III, Section I, GDPR, you, in your capacity as data subject, have the right to exercise the rights set out therein and in particular:

(i) access the personal data;

(ii) obtain the rectification or erasure of the same or the restriction of processing concerning them; in case of a request for erasure, the Data Subject also has the right to obtain that the Controller - taking account of available technology and the cost of implementation - takes reasonable steps, including technical measures, to inform controllers which are processing the personal data of the Data Subject’s request to erase any links to, or copy or replication of, those personal data;

(iii) object to the processing;

(iv) request data portability;

(v) withdraw consent, where provided, at any time, without, however, affecting the lawfulness of processing based on consent before its withdrawal;

(vi) lodge a complaint with the Supervisory Authority.

The Data Subject may submit a request to exercise such rights by sending an email communication to: privacy@aegishcg.com

Last update: June 2026

INFORMATION NOTICE PURSUANT TO SECTIONS 13 AND 14 GDPR

Dear Data Subject,

In accordance with the provision set forth by the European Regulation 2016/679 of the EU Parliament and of the Counsel dated April 27, 2016, concerning the protection of natural persons with regard to processing of personal data (hereinafter, the “GDPR” or the “Regulation”), Aegis S.r.l., having its legal offices in Milan, via Gaetano Negri 8, 20123, VAT number 03516140963, certified e-mail address: aegishr@legalmail.it, in person of its pro tempore legal representative as controller of your personal data (hereinafter, “Aegis” or the “Controller”), and, where applicable, Aegis UK – Recruiting & Consulting Ltd. having its legal offices in Marlborough House, 298 Regents Park Road, N3 2SZ, London, United Kingdom, VAT number 255 7676 63, certified e-mail address: aegishr@legalmail.it, in person of its pro tempore legal representative as processor of your personal data, provide you with the present information notice, pursuant to Sections 13 and 14, GDPR, in relation to the processing of your personal data communicated to us by you or by third parties (hereinafter, the “Information Notice”).

The processing of personal data will be carried out under the following conditions.

1. Identity and Contact details of the Controller

Aegis S.r.l., in person of its pro tempore legal representative, having its legal offices in Milan, via Gaetano Negri 8, 20123, VAT number 03516140963, email address: privacy@aegishcg.com, certified e-mail address: aegishr@legalmail.it,

2. Contact details of the Data Protection Officer (DPO)

Aegis S.r.l. has appointed as Data Protection Officer Mr. Antonio Virgallita, available at the following email address: privacy@aegishcg.com.

You will be free to contact the DPO for any matter related to the processing of your personal data and/or should you want to exercise your rights, as indicated and described below, sending out a written communication at the email address above.

Without prejudice to the foregoing, it is also possible to report any discriminatory, unlawful or otherwise non-compliant conduct that may arise within the relationship with Aegis through the corporate whistleblowing channel available on the website https://www.aegishcg.com/. The processing of personal data contained in such reports will be carried out in compliance with the applicable legislation and with the specific privacy notice relating to the whistleblowing channel.

3. Purposes of the processing for which the personal data are intended and related legal basis

Your personal data will be processed without your consent (pursuant to section 6, items b, c, f, GDPR), for the following purposes:

• performance of pre-contractual and contractual obligations deriving from the conclusion of the supply contract between you and the Controller;
• compliance with provisions of laws and regulations (national or EU), or execution of an order of judicial Authorities or supervisory bodies to which the Controller is subject;
• exercise the rights of the Controller, with particular reference to judicial defensive rights.

The provision of data for the above-mentioned purposes is mandatory. Failure to provide the data and/or any express refusal to the processing will result in the impossibility for the Controller to perform its contractual obligations or in the possible violation of requests from the competent Authorities.

4. Processed Categories of Personal Data

Pursuant to Section 4, no. 1, GDPR, the “personal data” that will be processed by the Controller, within the scope of the purposes of processing indicated above, concern, by way of example, name and surname, tax code, photocopy and/or number of the identity document, VAT number, residence, domicile, workplace address, e-mail or certified e-mail address, telephone and fax numbers and, where applicable, bank, financial and insurance data, etc.

You shall refrain from sending personal data to the Controller that are not strictly necessary for the performance of contractual and/or commercial activities. Otherwise, personal data must be transmitted to the Controller in anonymous or pseudonymised form, in accordance with the principle of data minimisation set out in Section 5, paragraph 1, GDPR.

In the event that, in the performance of the contractual relationship, the supplier (legal entity, hereinafter, the “Supplier”) communicates to the Controller (in a non-anonymous or non-pseudonymised form) personal data in addition to those of its legal representatives and/or contact persons, the Supplier declares and warrants that it processes all such personal data lawfully and in compliance with the GDPR, also declaring that it has already provided the Data Subjects with an adequate information notice expressly mentioning the possibility of providing personal data to third-party companies and that it has obtained any consents necessary for such purpose. The Supplier also undertakes to inform its employees and/or collaborators that this Information Notice is available on the website www.aegishcg.com, so that it may be provided by the Controller to the Data Subjects pursuant to Sections 13 and 14, GDPR.

5. Categories of Personal Data Recipients

For the purposes referred to in paragraph (c) above, the personal data provided by you may be made accessible to:

• employees and collaborators of the Controller and / or other subsidiaries or related entities, or entities belonging to the same companies’ group to which the Controller is party thereof, as well as companies where the Group detains shares (Aegis UK, Aegis Human Consulting Group S.r.l.) in their capacity of persons authorized to process personal data or data processor;
• any third party (such as provider for management and maintenance of website and/or management information systems, providers, credit institutions, professional companies, etc.), performing outsourced activities on behalf of the Controller, in their capacity of data processors;
• controlling Authority, public entities and institutions (whether national or foreign ones).

6. Storage and Transfer of Personal Data to Third Countries

The Controller states that personal data are managed and stored on servers located within the European Union, owned by and/or available to the Controller and/or to third-party companies appointed and duly designated as Data Processors. Where necessary, the transfer of data abroad to non-EU countries will, in any case, take place in accordance with the provisions of Chapter V of the GDPR (Section 46), through the adoption of standard clauses drafted on the basis of versions no. 2004/915/EC and no. 2010/87/EU developed by the European Commission. The Controller may move the location of the servers to non-EU countries.

Your personal data will not be disseminated.

7. Personal Data Storage Period

Personal Data provided for the purposes indicated under par. (b), above will be processed and stored for the entire duration of the executed contract. As of the termination of such contractual relationship, for whichever reason or cause, personal data will be stored as long as time-barring legal terms will be elapsed.

8. Exercisable Rights

In compliance with the provisions under Chapter III, Section I, GDPR, you may exercise the rights therein indicated and in particular:

• (i) right of access;
• (ii) obtain the rectification or the erasure of personal data or the limitation to processing from Controller. In case of the request of erasure, the data subject has the right to obtain that Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data;
• (iii) right to object to the processing of personal data;
• (iv) right to data portability;
• (v) right to withdraw the consent at any time; the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
• (vi) right to lodge a complaint with the Supervisory Authority.

You may exercise such rights by simply sending a request by e-mail to the following e-mail address: privacy@aegishcg.com.

9. Processing methods

The processing of your personal data is carried out by means of the operations indicated in Section 4, n. 2), GDPR - performed with or without the assistance of IT systems - and, precisely: collection, recording, organisation, structuring, updating, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, comparison, interconnection, restriction, erasure or destruction of data.

In any case, the logical and physical security of the data and, in general, the confidentiality of the personal data processed will be guaranteed by implementing all necessary technical and organisational measures appropriate to ensure their security.

Last update: June 2026