Data Protection Policy for the Processing of Personal Data on the Website
MAFG S.r.l. in its capacity as data controller, hereby informs you pursuant to Article 13 of EU Regulation no. 2016/679 ("GDPR") that the data provided through the https://nexthire-ai.com/ website (the "Website"), regardless of the methods and tools used, will be processed in the following ways and for the following purposes.
This information applies to the personal data that MAFG S.r.l. collects from you as a user of the Site (the "User") or as a potential client/client or contact person of a potential client/client in the event that you act on behalf of a legal entity (respectively the "Potential Client" and the "Client") or as a candidate for open positions at MAFG S.r.l. or in the event of the submission of your spontaneous application (the "Candidate") (jointly and without distinction, the "Data Subjects").
This information is provided for the Website as a whole, and not for other sites, pages or online services that can be reached via hypertext links that may be published or present on the Website but refer to resources outside the domain of the Data Controller, which may be consulted by the Data Subject.
1. Data Controller
The data controller is MAFG S.r.l. with registered office in Milan (MI) - Via Caio Secondo Plinio n. 11 – 20129 (hereinafter, the "Data Controller" or the "Company").
The Data Controller provides the following e-mail address for all communications: info@nexthire-ai.com.
The Data Controller may designate one or more Data Processors pursuant to Article 28 of the GDPR, who, on behalf of the Data Controller, provide specific processing services or related, instrumental or support activities by adopting all those technical and organizational measures appropriate to protect the rights, freedoms and legitimate interests that are recognized by law to the Data Subjects.
2. Description of the processing
The processing will concern individual operations, or a set of operations, of the following personal data provided by the Data Subject when he/she uses the services rendered by the Data Controller, through the Website, as described in the following table (the "Personal Data" or the "Data"):
| Type | Purpose of the Processing | Legal basis | Data Retention |
|---|---|---|---|
|
a. Client's access data to the Platform: username and password. |
• to allow the Clients to access the account and use the services available.
|
Performance of a contract to which the Client is a party or execution of pre-contractual measures taken at the request of the Client (Article 6(1)(b) of the GDPR).
|
For the duration of the account's validity.
|
|
• To comply with the obligations established by law, by a regulation, by EU law or by an order of the Authority, including anti-fraud and anti-money laundering control and prevention activities.
|
Compliance with a legal obligation to which the Data Controller is subject (Article 6(1)(c) of the GDPR).
|
For as long as is required by law. In any case, for a maximum period of ten (10) years.
|
|
|
b. Identification data of the Potential Client provided through the contact form on the Website: name, surname, e-mail, telephone number, reference company, role held and further data spontaneously provided by the Client through the contact form. |
• To respond to requests from Potential Clients, who may be contacted by e-mail or by means of other communication systems, if provided by them.
|
Execution of pre-contractual measures taken at the request of the Potential Client (Article 6(1)(b) of the GDPR).
|
For the time necessary to satisfy the requests of Potential Client. In any case, this data may not be kept for a period exceeding ten (10) years from the satisfaction of the requests received from the Prospect. In the event of a dispute, the Data may be stored until the expiry of the ordinary appeal periods. |
|
• Exercise the rights of the Data Controller, for example to exercise a right in court.
|
Legitimate interest of the Data Controller (Article 6, paragraph 1, letter f) of the GDPR).
|
||
|
c. Potential Client's email address provided through the contact form on the Website. |
• Direct marketing activities;
|
Express consent of the Potential Client (Article 6(1)(a) GDPR). Il Potenziale Cliente potrà revocare il consenso in qualsiasi momento tramite l’invio di un messaggio o una mail al Titolare al numero di telefono o all’indirizzo mail da cui riceve la comunicazione di marketing o all’indirizzo email indicato nella presente informativa. |
Until the Potential Client's consent is revoked and in any case for a period not exceeding (2) two years from collection.
|
|
• sending of informative newsletters.
|
Express consent of the Potential Client (Article 6(1)(a) GDPR). The Potential Client may withdraw consent at any time by sending a message or email to the Data Controller at the telephone number or email address from which he/she receives the marketing communication or at the email address indicated in this policy. |
||
|
d. Candidate Data contained in unsolicited applications submitted through the Website or for open positions on the Website. • Common data: name and surname, telephone number, email, country and province of residence, attached Curriculum Vitae, any additional data spontaneously provided in the application form; • any special data pursuant to Article 9, par. 1 of the GDPR, such as, by way of example, data relating to health, sexual orientation, religious conventions, etc. |
• Evaluate new potential collaborators and employees;
• interview candidates. |
Execution of pre-contractual measures adopted at the request of the Candidate (Article 6, paragraph 1, letter b) of the GDPR and Article 111-bis of the Data protection Code) and, with regard to any special data provided, the need to fulfil the obligations attributed to the Data Controller or the exercise of rights recognised to the Candidate, in the field of labour law and social security or protection, pursuant to Article 9(2)(b) GDPR.
|
For twelve (12) months after receipt of the application by the Candidate.
|
|
e. Website Users' browsing data: • information about the device used (e.g. mobile network system, unique device identifiers), hardware and browser settings, IP address; • web pages visited, duration of the visit, interactions with the page (e.g. scrolling, clicking, etc.), date and time of visits; • other parameters relating to the operating system and IT environment used by the Data Subject. |
• Monitoring of the operation of the Site, also for the purpose of improving the user experience and security.
|
Legitimate interest of the Data Controller (Article 6, paragraph 1, letter f) of the GDPR).
|
For a period of two (2) years.
|
|
f. User data relating to the use of the Website: • IP address, date and time of access, date and time of requests made. |
• To provide the services available on the Website.
|
Performance of a contract to which you are a party or execution of pre-contractual measures taken at your request (Article 6(1)(b) of the GDPR).
|
For the time necessary to manage the User's request, not exceeding 5 years, except for any need for verification by the competent authorities.
|
|
• Improve services based on the experience of the Users.
|
Legitimate interest of the Data Controller in the improvement of its services (Article 6, paragraph 1, letter f) of the GDPR).
|
For the time necessary to manage the User's request, not exceeding 5 years, except for any need for verification by the competent authorities.
|
|
|
g. Cookies and other technologies for reading/storing information on the Data Subject's terminal |
Please refer to the “Cookie Policy”, available at the following link: https://nexthire-ai.com/cookie-policy/.
|
It should be noted that, with reference to browsing data, the information collected, although not in-tended to be associated with identified subjects, by its nature, if associated with other Data held by third parties (e.g. internet service provider), could allow the identification of the Data Subjects (e.g., IP addresses, domain names of the PCs used, URL addresses of the requested resources, time of the re-quest, numerical code relating to the status of the response given by the server).
3. Processing methods
The processing of Personal Data:
(a) it is carried out by means of the operations indicated in Article 4, paragraph 1, no. 2 of the GDPR and precisely: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of Data;
(b) it is also carried out with the aid of electronic or automated means;
(c) it is also carried out using e-mail or other distance communication techniques.
4. Transfer of Personal Data
The management and storage of Data will take place primarily in the European Economic Area, on the servers of third-party companies appointed and duly appointed as data processors.
The Data Controller may also provide access to the Site and the services indicated therein in other countries, in which case the transfer of Data to such countries is strictly limited to the actual need to be aware of them. The Data Controller will take the necessary measures to protect the Personal Data of the Data Subjects and prevent unauthorized access.
In the event that Personal Data are transferred to the systems used by the Data Controller and/or third party companies appointed and duly appointed as Data Processors also outside the European Un-ion, the Data Controller ensures the application of the European Commission's standard contractual clauses to ensure a secure international transfer of personal data, on the basis of art. 44, 45 and 46 of the GDPR.
In the event that such transfer takes place to countries that do not provide the same level of protection provided for by the GDPR or applicable legislation, or in any case an adequate level of protection of personal data, the Data Controller will ensure that each of these recipients assumes specific contractual obligations in accordance with the applicable regulations on the protection of personal data (including the signing of the Standard Contractual Clauses "SCC" approved by the European Commission) or in the absence of an adequacy decision pursuant to Article 45, paragraph 3 GDPR, or adequate safeguards pursuant to Article 46 GDPR, including binding corporate rules, will request, pursuant to Art. 49 of the GDPR, the possibility of transferring personal data to a third country subject to the acquisition of specific consent from the Data Subject. In any case, the Data Subject may request more information regarding the transfer of Personal Data, by writing to the e-mail address: info@nexthire-ai.com.
5. Security Measures
The Data Controller has adopted a variety of security measures to protect the Data against the risk of loss, misuse or alteration, consistent with the measures expressed in Article 32 of the GDPR. The processing is carried out using IT and/or telematic tools, with organizational methods and logics strictly related to the purposes indicated.
6. Consequences of failing to provide Personal Data
Without prejudice to the Data Subject's right to provide Personal Data to the Data Controller, the provision of Personal Data may be:
(a) mandatory for the purpose of providing the services accessible through the Website and for purposes related to the fulfilment of obligations provided for by applicable laws and/or regulations, as well as by provisions issued by the competent supervisory and/or control authorities/bodies;
(b) optional with reference to the data provided spontaneously by the Data Subject, for direct marketing purposes and for sending the informative newsletter.
Any refusal by the Data Subject to provide Personal Data to the Data Controller may make it impossible for the Data Controller to provide the requested services and make access to the Website available.
In addition, please consider that the revocation of one or more permissions and/or consents not granted by the Data Subject may have consequences on the proper functioning and/or on the possibility of accessing and/or using the Website correctly and/or providing the services by the Data Controller.
With regard to the provision of special data, in the event that he/she provides personal data that are not relevant and/or revealing – pursuant to the applicable legislation (e.g. regulations on protected categories and compulsory recruitment, etc.) – the selection process, the Data Controller will not process such data and will delete them immediately. In this regard, unless strictly necessary, we ask you not to provide this type of information.
7. Data retention and deletion
The retention period of Personal Data is indicated in the table in point 2 above.
At the end of the retention period, the Personal Data will be deleted. Therefore, upon expiry of this term, the right of access, cancellation, rectification and the right to portability of Personal Data can no longer be exercised by the User.
Personal Data will be stored by means of computer archives, including portable devices, adopting appropriate measures to ensure their security and to limit access only to personnel authorized by the Data Controller and within the strict scope of the purposes indicated above.
8. Who we can share personal data with
For the purposes indicated above, Personal Data may be made accessible or communicated to:
(a) employees and collaborators of the Data Controller, in their capacity as authorised data processors, within the scope of their respective duties and in accordance with the instructions received. Such individuals are in any case subject to the obligations of confidentiality and confidentiality;
(b) to third parties who carry out outsourced activities on behalf of the Data Controller whose activity is connected, instrumental or in support of that of the Data Controller (e.g. management software);
(c) to all those public and/or private entities, natural and/or legal persons (such as, by way of example, legal, administrative and tax consultancy firms, funds or funds, including private social security and assistance funds, Judicial Offices, Chambers of Commerce), if the communication is necessary or functional to the correct fulfilment of the contractual obligations undertaken, as well as the obligations deriving from the law;
(d) to all those subjects (including Public Authorities) who have access to Personal Data by virtue of regulatory or administrative measures;
In any case, the Personal Data collected will not be disseminated.
9. Rights of the Data Subject
The Data Subject may exercise the rights provided for in Chapter III of the GDPR within the limits and under the conditions provided therein:
(a) access to the Data (art. 15): the Data Subject has the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning him or her is being processed and, if so, to obtain access to the Personal Data in a commonly used electronic format and certain information on the processing (e.g. purposes, categories of Data processed, recipients, extra-EU transfers, implementation of profiling activities, etc.);
(b) rectification of Data (art. 16): the Data Subject has the right to obtain the rectification of inaccurate Personal Data concerning him or her without undue delay and/or the integration of incomplete Personal Data, including by providing a supplementary statement;
(c) erasure of Data or "right to be forgotten" (art. 17): the Data Subject has the right to obtain from the Data Controller the erasure of Personal Data concerning him/her without undue delay and the Data Controller has the obligation to erase Personal Data without undue delay;
(d) limitation of processing (art. 18): the Data Subject has the right to obtain from the Data Controller the limitation of processing;
(e) Data portability (art. 20): the Data Subject has the right to receive the Personal Data concerning him or her provided to a Data Controller in a structured, commonly used and machine-readable format and has the right to transmit such Data to another Data Controller without hindrance from the Data Controller to whom he or she has provided them;
(f) Withdrawal of consent (art. 7, par. 3): the Data Subject has the right to revoke the consent given at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Objection to processing (Art. 21): The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of Personal Data concerning him or her pursuant to Article 6(1)(e) or (f) of the GDPR, including profiling on the basis of these provisions.
10. How to exercise rights
The Data Subject may exercise the rights at any time by sending:
(a) an e-mail to: info@nexthire-ai.com;
(b) a registered letter with return receipt to MAFG S.r.l. with registered office in Milan (MI) - Via Caio Secondo Plinio n. 11 – 20129.
The Data Controller undertakes to provide the Data Subject with information relating to the action taken regarding a request to exercise rights without undue delay and, in any case, at the latest within a period of 30 (thirty) days from receipt of the request itself, extendable up to 3 (three) months only in cases of particular complexity.
Any rectification or erasure or limitation of processing carried out at the explicit request of the Data Subject, except where this proves impossible or involves a disproportionate effort, will be communicated by the Data Controller to each of the recipients to whom the Personal Data have been transmitted. The Data Controller may communicate to the Data Subject the references of the recipients, if requested.
11. Right to lodge a complaint
Data Subjects who believe that the processing of Personal Data is in violation of the provisions of the GDPR have the right to lodge a complaint with the Data Protection Authority: i) by e-mail, to the garante@gpdp.it address or urp@gpdp.it; ii) by fax to 06.696773785; or iii) by post to the registered office located in Rome (Italy), Piazza Venezia n. 11 – Cap 00187, or alternatively by appeal to the judicial authority.
12. Data processors and Person Authorized
The updated list of data processors and persons in charge of processing is kept at the headquarters of the Data Controller.
13. Modification
This policy may be modified and/or updated at any time. If the Data Controller intends to process your Personal Data for purposes other than those indicated in this Data protection Policy, it undertakes to provide, before such further processing, adequate information regarding these different purposes and to carry out such further processing in compliance with current legislation, collecting the specific consent of the Data Subject where necessary.
Updated: August 2025
