Privacy Policy for Employees

privacy employees

If you are reading this document, it means that you are working or are about to take up a position at nimax spa.

WHO WE ARE

We are nimax spa, headquartered in Bologna (“Nimax”), the data controller, and this Policy is intended to help you better understand which data is collected, for what purposes, with whom it is shared, and how you can manage your information.

To make the following explanation as clear and accessible as possible, we have included non-exhaustive examples and created a Definitions section that refers to more detailed explanations available at the end of this document. If you have any questions about this Policy or how your information is processed, you can contact us at privacy@nimax.it.

WHAT DATA WE PROCESS

Depending on how you collaborate with us, we may collect all or some of the following information.

Data you provide

By establishing an employment relationship with us, we may request Personal Data such as, by way of example but not limited to, personal, identification, contact, administrative, tax, banking, driving license, job-related, and assignment data, as well as information on your professional career, including CVs and photographs (e.g. for the company directory on the corporate intranet). This data will be requested to the extent necessary for the establishment and management of the employment relationship (e.g. assigning credentials, identification or access badges), or to provide you with company equipment (e.g. a car or other devices), and to contact you when necessary.

If you provide data concerning third parties (e.g. emergency contact details or information on children for potential tax deductions), you accept full legal responsibility and obligations, holding us harmless from any disputes, claims, or requests for compensation related to the processing of the Personal Data of third parties that you may have shared with us in violation of applicable data protection laws.

Sensitive Data you provide
During the employment relationship, we may become aware of certain Sensitive Data relating to you or third parties. These may include, by way of example and not limited to, data concerning your health or that of others (e.g. information about illness, injuries, disability, maternity, work capacity); union membership (e.g. union leave or coverage of union roles); and/or membership in a political party (e.g. holding elected public positions), exclusively for the purpose of using leave or absences recognized by law or, where applicable, by collective or company agreements, as well as to allow the exercise of trade union rights, including the processing of data related to the deduction of membership fees to associations or trade unions; religious beliefs, only in the event of taking leave for religious holidays or for managing meal services during company events that include catering. In all cases, we try—together with your cooperation—to minimize this data collection (e.g. by requesting a certificate without specifying the illness, or asking for food preferences without requiring details on intolerances).

Data inferred from your activity

During the employment relationship, we may collect Personal Data related to your work activity (e.g. attendance, absences, working hours, administrative, managerial, and accounting information that directly or indirectly concerns you in relation to business processes, performance evaluations, and any other information connected to the performance of your job duties, participation in company events, etc.). We also collect data related to your Device and/or its connection to our networks or systems. This may occur through clock-ins, or because you are assigned a company device, or because you are asked and/or allowed—before starting employment and for reasons related to the information you will handle—to convert your Device into a company tool. More details are available in the IT Tools Policy, which will be provided at the beginning of your collaboration and is always available on the corporate intranet.

THIRD PARTIES FROM WHOM WE COLLECT YOUR DATA

Judicial Data relating to you

During the employment relationship, we may receive Judicial Data either from you or from third parties (e.g. criminal records) in compliance with obligations or for the exercise of rights related to labor law or, in any case, within the scope of the employment relationship, within the limits set by laws, regulations, and collective agreements, as well as for the establishment, exercise, or defense of legal claims.

Data provided by third parties

Some of your Personal Data may be provided to us by third parties during the employment relationship. These may include occupational doctors, affiliated companies, other employees, or third parties acting as independent data controllers. In some cases, they may be individuals (including yourself) who report potential offenses committed within Nimax, to whom we provide a specific additional privacy notice to protect their confidentiality.

For ease of reading, from here onward, we will collectively refer to all Personal Data mentioned above as “Data.”

WHY WE USE YOUR DATA

Data is used for the following purposes:

To establish and manage the employment relationship

We use your Data to manage your employment relationship in all its contractual aspects (e.g. for the processing and payment of salary, bonuses, other compensation, benefits, etc.); for the administration and organization of work activities (e.g. assigning badges, credentials, access, company tools); for professional qualification and development, and for organizing and managing training courses; for managing career planning and professional growth processes; to carry out performance evaluations; to send you service communications and respond to any of your requests.

This processing is necessary to fulfill obligations and exercise specific rights applicable to us or to you in relation to labor law and social security and protection, as permitted by European Union law, Italian law, collective agreements, and measures issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali). If you do not provide your Data, we will not be able to establish or continue the employment relationship.

Complying with legal obligations to which we are subject

We use your Data to fulfill specific obligations under European Union law, national legislation, regulations, and collective labor agreements at national or company level, including: complying with obligations regarding workplace hygiene, health and safety, and social protection (e.g. those arising from Legislative Decree 81/2008 regarding health surveillance); complying with tax, social security, and accounting obligations (e.g. related to the recognition of family allowances); fulfilling obligations related to the deduction of union dues or the exercise of trade union rights (e.g. management of leave, secondments, etc.), also within the framework of union procedures governed by law or collective agreements; ensuring compliance with orders or measures issued by judicial authorities, tax authorities, social security and welfare institutions – including supplementary – and insurance bodies; recognizing your right to observe religious holidays and to exercise the rights granted by law in case you hold public office; fulfilling any other obligation imposed on us as an employer, whether required by law, regulations, the applicable collective agreement, or in relation to new forms of collaboration (e.g. smartworking), as well as in compliance with instructions or orders from competent Authorities.

The performance of these legal obligations related to the employment relationship is the legal basis for this processing. If you do not provide your Data, we may not be able to comply with these legal obligations, and it may be impossible to establish or continue the employment relationship.

Safeguarding company assets

We use your Data, in particular data inferred from your activity, in compliance with company procedures, to protect Nimax’s corporate assets (both tangible and intangible) by implementing all necessary security measures to prevent the risk of destruction, loss, dissemination, alteration, theft, unauthorized access, and any other unauthorized activity involving personal or confidential data; carrying out technical and/or maintenance operations (e.g. software updates, replacements, upgrades, hardware maintenance, backups, etc.); performing audits and corporate cost planning (e.g. checking internet connection costs, phone usage, etc.).

The legal basis for this processing is our legitimate interest in protecting the security of our information assets, as further specified by applicable regulations. If you do not provide your Data, access to Nimax’s physical and digital premises may be denied.

Ensuring your safety, the safety of others, and meeting organizational and productivity needs

We use your Data, in accordance with company procedures, to protect workplace safety and the well-being of yourself and others who access company premises, for example by implementing physical access procedures to Nimax locations. This processing also includes the need to safeguard company organization and productivity.

These processing activities are based on the legitimate interests just described. If you do not provide your Data, we will not be able to establish or continue the employment relationship.

Preventing unlawful acts

We use your Data, in accordance with company procedures, to prevent and combat possible crimes committed using our company tools, networks, or otherwise to our detriment or that of our stakeholders as referred to in Legislative Decree no. 231/2001 “Regulations on the administrative liability of legal entities, companies, and associations, including those without legal personality, pursuant to Article 11 of Law no. 300 of 29 September 2000,” as well as for purposes related to so-called “whistleblowing.”

These processing activities are based on the legitimate interests just described. If you do not provide your Data, we will not be able to establish or continue the employment relationship.

Promoting company initiatives

We use your Data to send you communications aimed at involving you in surveys, questionnaires, research, and other similar initiatives related to the workplace or other topics of interest to us. This also includes the analysis, on an aggregate level (thus without identifying you), of employee feedback on these company initiatives. This processing is based on our legitimate interest in actively involving employees in company initiatives and improving the work experience based on their feedback. We commit not to conduct any investigation, not even through third parties, into your political, religious, or trade union opinions, or any other fact irrelevant to evaluating your professional aptitude during the course of the employment relationship. Failure to provide your Data will have no consequences for you.

Using your image within Nimax

We use your Data, in particular your profile photo, to publish it in the company directory, on the corporate intranet, or in company collaboration tools. This purpose also includes any video recordings of your face during training courses or company conference calls. For this latter use, you will receive specific notice before any recording, and you will be able to object at any time and on your own, for example by replacing your photo where possible or, in the case of courses, by choosing not to share your webcam data.

This processing is based on our legitimate interest and need to facilitate identification within the company community. Failure to provide your Data will have no consequences for you.

Once transmitted or collected, your Data may also be used for the following purposes:

Conducting checks related to the employment relationship

We use your Data to carry out checks and use it for all purposes related to the employment relationship, including disciplinary purposes, in accordance with specific company procedures (including the IT Tools Policy, always available on the corporate intranet), which, under Article 4, paragraph 3 of the Workers’ Statute, govern the use of tools, how checks are carried out, and any disciplinary consequences.

This processing is lawful to fulfill obligations and exercise specific rights applicable to us under labor law, social security, and social protection regulations, as permitted by European Union law, Italian law, collective agreements, the Workers’ Statute, and measures issued by the Italian Supervisory Authority (Garante per la protezione dei dati personali).

Meeting organizational needs with Nemesis

We may share your Data with our subsidiaries (in particular Nemesis), which act as independent data controllers, to meet internal administrative, HR, IT, financial, and accounting needs.

Defending ourselves in legal proceedings

We use your Data to meet possible legal defense needs both in court and out of court, as well as during pre-litigation phases.

HOW WE USE YOUR DATA

All Data collected for the purposes listed above is processed through electronic decision-making processes. Your Data may also be subject to combination and/or cross-referencing. For example, this allows us to combine your contact Data with Data inferred from your activities (e.g. via clock-ins, access records).

WHO WE SHARE YOUR DATA WITH

We share your Data with the following categories of recipients (“Recipients”):

Authorized personnel: our employees and collaborators who have signed a confidentiality agreement and follow specific rules for processing your Data (e.g. HR, Finance, IT personnel, etc.);

Our data processors: external parties entrusted with certain processing operations (for example, payroll companies, e-learning platforms, data hosting providers, tax and social security compliance platforms, archiving and storage providers for employee Data, developers and managers of related IT systems, business consultants and consulting firms, travel agencies for business trips, auditing firms, etc.). We have signed agreements with each of these parties to ensure your Data is processed securely and only under our instructions;

System administrators: employees or collaborators of our data processors responsible for managing our IT systems, who may access, modify, suspend, or restrict your Data. These individuals are pre-selected, properly trained, and their activities are tracked by systems they cannot modify, as required by the Italian Supervisory Authority. For more information, contact our IT Department or privacy@nimax.it;

So-called functional data controllers: third parties to whom we transmit your Data as part of the employment relationship (e.g. meal voucher providers; auditing firms; trade unions signing the National Collective Agreement and/or works councils, as expressly permitted by law or protocols; banks, credit institutions, insurance companies for payroll or benefit payments; social security and welfare agencies; tax authorities; the company doctor; competent judicial and/or supervisory authorities; subsidiaries acting for organizational needs with Nemesis; third parties offering employee discount programs; law firms).

Law enforcement or other authorities whose orders are binding on us: for example, when we are required to comply with a court order, a law, or to defend ourselves in court.

WHERE YOUR DATA IS STORED

We ensure that the processing of your Data by us and the Recipients complies with the European and national legislation to which we are subject. Transfers of your Data to Recipients may be based on appropriate safeguards (such as the EU Standard Contractual Clauses for data transfers within and outside the European Economic Area – EEA) and/or other legal bases under European legislation. More information is available by writing to privacy@nimax.it.

HOW LONG WE KEEP YOUR DATA

Data will be stored for as long as strictly necessary to manage the employment relationship and fulfill related legal obligations. We reserve the right to retain the Data for the time required to address any legal defense needs, including out-of-court and pre-litigation matters. You can request more information on our storage criteria and durations by writing to privacy@nimax.it.

HOW YOU CAN CONTROL YOUR DATA

You can request at any time to:

Access your Data: we will provide you with the Data we have about you and, if applicable, the source (e.g. if provided by a third party);

Port your Data: where applicable, we will provide a CSV file containing your Data;

Rectify your Data: for example, you can ask us to update your phone number, profile photo, or professional experiences if incorrect or outdated;

Restrict or object to the processing of your Data: for example, if you believe our processing is unlawful and/or that certain legitimate interest-based processing is inappropriate. In the latter case, we will assess your request, which may be denied if there are overriding legitimate grounds to continue processing;

Erase your Data: where there are no further legal grounds for retention. You may exercise any of the above rights by writing to privacy@nimax.it.

The response time under European legislation is 1 month from your request (extendable by 2 additional months in complex cases). In some cases, our response may be delayed, limited, or denied based on national law. In such cases, you may contact the Supervisory Authority listed below.

You can also at any time:

  • Contact the local Supervisory Authority (Garante per la protezione dei dati personali). Their contact information is available here:

https://edpb.europa.eu/about-edpb/board/members_en

  • Take legal action before the competent courts

WHAT THIS POLICY DOES NOT COVER

This Policy explains and covers the processing activities we perform as the data controller for our employees.

This Policy does not cover data processing by entities other than Nimax, especially by companies in the Cristal Union Group or other third parties acting as independent data controllers. We do not take responsibility for any processing of your Data not covered by this Policy.

Any further processing of data for purposes other than those indicated above will be preceded by specific notices explaining the details, scope, and potential connections to this Policy.

CHANGES TO THIS POLICY

This Policy is effective from the date indicated at the beginning of this document. We reserve the right to modify or update its content, in whole or in part, due to changes in applicable legislation. In the case of substantial changes, you will be appropriately notified.

Definitions:

Subsidiaries: Nemesis srl

Judicial Data: refers to Personal Data relating to criminal convictions, offenses, and security measures;

Personal Data: refers to any information that identifies or can identify a natural person. For example, an IP address or email address (if it includes a person’s full name) is considered Personal Data.

Sensitive Data: refers to Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data used to uniquely identify a person, and data concerning health, sex life, or sexual orientation.

Device: refers to the device (e.g. laptop, smartphone) you use to connect to our systems or networks.

IT Tools Policy: refers to the IT usage policy provided at the start of the collaboration, always available on the corporate intranet and by writing to privacy@nimax.it

1 See Art. 6(1)(b) and Art. 9(2)(b) of the GDPR.

2 See Art. 6(1)(c) of the GDPR; with reference to Sensitive Data, Art. 9(2)(b) and (g), and Art. 88 of the GDPR, as well as Art. 2-sexies(2)(u) and (uu) of the Italian Privacy Code; with reference to Judicial Data, Arts. 10 of the GDPR and 2-octies(3)(a) of the Italian Privacy Code.

3 See Art. 6(1)(f) of the GDPR; see also Arts. 88 of the GDPR, 114 of the Italian Privacy Code, and Art. 4 of the Workers’ Statute.

4 See Art. 6(1)(f) of the GDPR; see also Arts. 88 of the GDPR, 114 of the Italian Privacy Code, and Art. 4 of the Workers’ Statute.

5 See Art. 6(1)(b), Art. 9(2)(b), and Art. 88 of the GDPR; Art. 114 of the Italian Privacy Code; Art. 4(3) of Law 300/1970 (“Workers’ Statute”), taking into account the specific company procedures adopted pursuant to Art. 4(3) of the Workers’ Statute.

6 See Recital 48 of the GDPR.

7 See Art. 6(1)(f) of the GDPR; with reference to Sensitive Data, Art. 9(1)(f) of the GDPR; with reference to Judicial Data, Arts. 10 of the GDPR and 2-octies(3)(e) of the Italian Privacy Code.

9 See Chapter III of the Italian Privacy Code.