By means of this information notice (“Notice”), the Data Controller, as defined below, wish to inform You on the purposes and methods of the processing of Your personal data and on the rights that Regulation (UE) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) entrust You.

1. Who is the Data Controller, the Representative in the Union and the Data Protection Officer (DPO)
The Data Controller is Bally Schuhfabriken AG (the “Data Controller” or the “Company”), with registered office in Via Industria 1, 6987 – Caslano (Switzerland), in person of its legal representative pro tempore.
The Data Controller’s representative in the European Union is Bally Italia S.r.l., with registered office in Viale Don Minzoni, 39, 50129 Firenze (Italy), in person of its legal representative pro tempore.
The Data Controller appointed a Data Protection Officer (“Data Protection Officer” or “DPO”), that You may contact for the exercise of Your rights as listed in article 8 below, as well as for asking any further information, at the following addresses:

2. Source of data collection and which personal data we process
We collect personal data about job applicants from the following sources:
• directly from the candidates;
• recruitment agencies, from which we collect data similar to that specified above;
• named referees – prior employers; and
• from publicly available professional networking profiles e.g., LinkedIn.
For the purposes set forth in this Notice, the Data Controller processes the following personal data:
• your name, employment history and academic qualifications, and any other information that you have provided to us in your curriculum vitae, cover letter as well as the URL to your LinkedIn account in case that you have applied through your LinkedIn account;
• the information you have provided on our application form, if relevant, including title, address, telephone number, personal email address, date of birth; and
• data regarding Your health state (e.g. Your possible belonging to a protected category);
• financial data (e.g. Your income).
• any information you provide to us during an interview.
The types of personal data that we request from you and the ways that we process it are determined by the requirements of the country in which the position is located, and not the country in which you reside. Should you apply to more than one location or should the role to which you apply be available in more than one country, the types of personal data we request from you and the ways that we process it are determined by the requirements of all the countries in which the position is located.
Special categories of personal data are a subset of personal data and include ethnicity, health, trade union membership, philosophical beliefs, criminal convictions and offences, as well as other categories as allowed by law. We do not seek to obtain and will not collect such data about a candidate unless required to do so by applicable laws.

3. Purposes of processing and legal basis
The processing of Your personal data is necessary for the recruitment process, including, but not limited to:
• assess your skills, qualifications and suitability for potential employment;
• carry out background and reference checks, where applicable;
• communicate with you about the recruitment and hiring process;
• keep records related to our hiring processes; and
• comply with legal or regulatory requirements.
We may also analyse your personal data or aggregated/anonymized data to improve our recruitment and hiring process and augment our ability to attract successful candidates.
The legal basis for the processing of Your data is, therefore, taking steps at the request of the data subject prior to entering into a contract, pursuant to Article 6, first paragraph, letter b), of the GDPR; therefore, Your consent is not necessary to allow the processing.
As far as Your health data are concerned, the legal basis for their processing is Your consent. You may at any time revoke Your consent to the processing of Your health data.

4. Nature of the personal data processing and consequences of a refusal
The processing of Your personal data, also regarding Your health, is a mandatory requirement for the recruitment process, and therefore Your refusal to provide such personal data will result in the impossibility for the Data Controller to manage the same.

5. Data Retention
The data shall not be kept for any longer than is necessary for the purposes for which it was collected or subsequently processed, in line with what is set forth by legal obligations. In particular, data will be deleted after a maximum of two years from the date of sending or last update. In the event that a call for a selection process should not conclude with your inclusion in the company, data may be stored for up to five years, exclusively for the purpose of recruitment and selection for other professional opportunities.

6. Methods by which your personal data will be processed
Your personal data will be processed, pursuant to the provisions of the GDPR, by means of paper, computerized and telematics tools, for the purposes indicated above and with adequate methods to guarantee their security and confidentiality in accordance to Article 32 of the GDPR. Bally takes precautions to protect personal data from unlawful or unauthorized processing, and against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. We have taken appropriate technical and organizational measures to protect the information systems on which your personal data is stored, and we require our third party service providers to protect your personal data by contractual means.

7. To which subjects your personal data may be communicated and who may get to know them
Access to your personal data is restricted to authorized personnel within Bally on a “need to know” basis according to their job role and responsibilities.
For the purposes described in paragraph 3 above, Your personal data will be disclosed to employees, external consultants and, in general, Bally’s personnel, who will act as person authorized to the processing of personal data, specifically appointed as internal delegates.
In addition, Your personal data will be processed by the following third parties:
a) service providers for the management of the IT system;
b) legal and consulting services providers;
c) recruitment agencies;
d) other service providers.
The above subjects shall act, in some cases, as autonomous data controller, in other cases as data processors specifically appointed by the Data Controller pursuant to Article 28 of the GDPR.
The transfer of your personal data from the European Union to Switzerland occur on the basis of the European Commission’s adequacy decision that recognizes Switzerland as a country ensuring an adequate level of protection for personal data.
The transfers of your personal data to extra-EU countries occur on the basis of appropriate measures designed to protect personal data and in accordance with applicable data protection laws.
The complete and updated list of the subjects to whom Your personal data may be communicated may be requested at the following addresses:
Your personal data will not be disclosed to the public.

8. Your rights as data subject
With regard to the processing described in this Notice, You may exercise any of the rights described in this section in accordance with Articles 15 through 21 of the GDPR. In particular:
• You can ask us for a confirmation of the personal data we process about you and ask for a copy of the personal data we hold about you;
• You can inform us of any changes to your personal data, or you can ask us to correct any of the personal data we hold about you;
• In certain situations, you can ask us to erase, block, or restrict the processing of the personal data we hold about you, or object to particular ways in which we are using your personal data; and
• In certain situations, you can also ask us to send the personal data you have provided us to a third party in a common, machine-readable format.
Where Bally uses your personal data on the basis of your consent, you are entitled to withdraw that consent at any time subject to applicable law, with no adverse effect. Moreover, where Bally processes your personal data based on legitimate interest, you have the right to object at any time to that use of your personal data subject to applicable law.

The above rights may be exercised by contacting the Data Controller, the Representative in the Union and the DPO at the contact details indicated in previous article 1. The Data Controller, the Representative in the Union and the DPO will take care of your request and provide You, without undue delay and, in any case, no later than one month after receipt of Your request, with information relating to the actions taken regarding your request.
The exercise of Your rights as data subjects is free according to Article 12 GDPR. However, in case of manifestly unfounded or excessive requests, also due to their repetitiveness, the Data Controller may charge a reasonable fee, in light of the administrative costs incurred for managing Your request, or deny the satisfaction of your request.
Finally, we inform You that the Data Controller may request further information for confirming Your identity.