JOINT CONTROLLERS:

·       GI GROUP STAFFING COMPANY S.R.L., registration number with the Trade Registry of Bucharest J40/6080/2009, fiscal identification number RO 25578361 (“GI”)

·       BARNETT MCCALL RECRUITMENT S.R.L., registration number with the Trade Registry of Bucharest J40/2768/1999, fiscal identification number RO 11577960 (“BMR”)

Common address: Romania, Bucharest, Arh. Louis Blanc St., 5^th Floor, 1^st District, Common Phone number: +4 021 231 53 24

Common e-mail address: ro.privacy@gigroup.com

DATA PROTECTION OFFICER

Address: Piazza IV Novembre 5, 20124 Milan Italy, in attention of the “Data Protection Officer”

E-mail address: dpo@gigroup.com

WHY IS YOUR PERSONAL DATA BEING USED AND

WHAT IS THE CONDITION THAT MAKES THE PROCESSING LAWFUL?

FOR HOW LONG DO WE KEEP YOUR PERSONAL DATA?

The personal data is used to meet the requests for information about the services offered by GI and BMR or by the companies of the Group.

In particular, if the request for information refers to services offered by other companies of the Group, GI or BMR will be able to respond by indicating the references to be contacted or by sending it directly to the company concerned in order to be able to provide an appropriate and timely response.

For the time needed to meet the requests for information.

The legal basis applicable to the processing of personal data is the execution of the contract with the data subject or the execution of pre-contractual measures adopted at the request of the same, according to art. 6 paragraph (1) let. b) of GDPR.

Once the conservation periods indicated above have elapsed, the personal data will be destroyed, deleted or made anonymous, compatible with the technical deletion and back-up procedures.

OBLIGATORY CONFERMENT OF THE PERSONAL DATA

The conferment of the personal data marked with an asterisk in the form of data collection is obligatory. Refusal to provide this personal data will prevent GI or BMR meeting the requests for information.

RECIPIENTS OF THE DATA

Personal data may only be processed by employees of the companies departments authorised to process such data, as they are responsible for pursuing the above-mentioned purposes. These employees have received adequate operating instructions in this respect.

The personal data may be communicated to the following subjects or categories of subject operating in the capacity of autonomous Controllers:

•         Companies of the Group in Romania or abroad, even outside the European Union, if the request for information refers to services offered by other companies of the Group.

The personal data may also be used, on behalf of the Company, by bodies designated as Processors, to which suitable operating instructions are imparted. These bodies are included in the following categories:

•         companies that provide IT services;

•         Site management and maintenance companies.

The list of the addressees of the data is continuously updated and can be referred to easily and free of charge by sending a communication in writing to the Joint Controllers at the address provided above or by sending an e-mail to ro.privacy@gigroup.com

TRANSFER OF THE DATA OUTSIDE THE EU

The data may be transferred abroad to countries that do not belong to the European Union, and in particular to

a.       Argentina and Switzerland, where the level of protection of the data has been considered adequate by the European Commission according to article 45 of the GDPR

b.       Brazil, Chine, Columbia, Hong Kong, India, Montenegro, Russia, Serbia and Turkey following the signing by GI or BMR with the importer of the data of the standard contractual clauses adopted/approved by the European Commission according to article 46, 2, letters c) and d) of the GDPR

The adequacy decisions can be consulted at the following links:

Switzerland: https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX%3A32016D2295

Argentina: https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX%3A32003D0490

A copy of the standard contractual clauses signed by GI or BMR can be obtained by sending a written communication to the Joint Controllers or an e-mail to ro.privacy@gigroup.com

RIGHTS OF DATA SUBJECTS

You may ask the Joint Controllers for access to the personal data that refers to you, for it to be corrected or deleted, for the addition of incomplete personal data or for the use to be limited in the cases referred to in article 18 of the GPDR as well as to object to its use in instances of legitimate interest of the Joint Controllers.

Moreover, for instances in which the use is based on the consent or on the contract and is made with automated instruments, you are entitled to exercise the right to move the data or to receive the personal data in a structured format, in common use and legible by automatic devices, as well as if technically feasible to transmit it to another Controller without restrictions.

You will be able at any time to complain to the competent Authority for the Protection of Personal Data, as well as to resort to other means of protection laid down by the applicable regulations.

These rights may be exercised by sending a communication in writing to the Joint Controllers at the address indicated above or by e-mail to ro.privacy@gigroup.com

JOINT CONTROLLERSHIP AGREEMENT

The Companies have stipulated a joint-controllership agreement, pursuant to Article 26 of the GDPR, by which they have determined their respective responsibilities in particular as regards the joint determination of:

•         the purposes and means of the processing of Personal Data;

•         the procedures for providing timely feedback to data subjects’ requests to exercise their rights, as described in the “data subjects’ rights” section of this notice;

•         appropriate security measures for the processing of Personal Data and the procedures for the management of data breaches;

•         the content of this notice.