Candidate Privacy Notice

1. Data controller

2. Types of data processed

As part of the selection process, Xenia S.r.l. processes the following categories of personal data:

• Identification data: name, surname, date of birth, tax code, residential address
• Contact data: email address, phone number, LinkedIn profile
• CV data: work experience, educational background, professional skills, languages, certifications
• Cover letter data: professional aspirations, application motivations
• Reference data: if voluntarily provided by the candidate
• Technical data: IP address (anonymized), submission date and time, browser user agent

Note: Xenia S.r.l. does not request and invites candidates not to include in their CV or cover letter any special category data (art. 9 GDPR), such as racial or ethnic origin, political opinions, religious beliefs, health status, sexual orientation.

3. Purposes, legal basis, and retention periods

4. Use of AI in the selection process

Xenia S.r.l. uses artificial intelligence systems to support the CV screening process. Such processing occurs exclusively:

• With the candidate's explicit consent
• In assisted screening mode, i.e., as support for human analysis
• With mandatory human review of every evaluation produced by the AI
• No decision regarding hiring is made solely through automated means pursuant to art. 22 GDPR

AI service providers (Processors under art. 28 GDPR)

Pseudonymization:Before sending to AI systems, data is pseudonymized by removing the candidate's name, surname, and email address, in order to minimize privacy risks.

5. Extra-EU transfers

Personal data may be transferred to the United States as part of the use of the AI services indicated above. Such transfer occurs based on the following safeguards:

• EU-US Data Privacy Framework: for providers certified under the DPF (European Commission adequacy decision of July 10, 2023)
• Standard Contractual Clauses (SCC): approved by the European Commission with Decision 2021/914, supplemented by additional technical and organizational measures

Candidates may request a copy of the safeguards adopted by writing to admin@xeniamilano.com.

6. Data recipients

Personal data may be disclosed to:

• Authorized internal staff: HR manager, area managers involved in the selection process
• IT service providers: hosting, cloud storage, email (designated as Processors under art. 28 GDPR)
• AI service providers: OpenAI and Anthropic (as indicated above)
• Legal and labor consultants: where necessary for regulatory compliance

Data is not disclosed or sold to third parties for marketing purposes.

7. Processing methods and security

Data processing is carried out using electronic and/or paper-based tools, with organizational and logical methods strictly related to the indicated purposes. In accordance with art. 32 GDPR, Xenia S.r.l. adopts appropriate technical and organizational measures, including:

• Encryption of data in transit (TLS 1.3) and at rest
• Access control based on the principle of least privilege
• Multi-factor authentication for corporate accounts
• Regular backups and disaster recovery procedures
• Periodic staff training on data protection
• Logging of access to candidate data (audit log)

8. Nature of data provision

Provision of data marked as mandatory in the application form is necessary for the assessment of the application. Failure to provide such data will make it impossible to proceed with the selection process.

Provision of consent for AI screening and for retention in the candidate database is optional. Refusal does not affect the assessment of the application, which will be carried out manually by the HR team.

9. Data subject rights

Pursuant to arts. 15-22 of the GDPR, candidates have the right to:

• Access (art. 15): obtain confirmation of the existence of processing and access their data
• Rectification (art. 16): obtain correction of inaccurate data
• Erasure (art. 17): obtain deletion of data ("right to be forgotten")
• Restriction (art. 18): obtain restriction of processing
• Portability (art. 20): receive data in structured format and transmit it to another controller
• Objection (art. 21): object to processing for legitimate reasons
• Withdrawal of consent (art. 7): withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal

To exercise their rights, candidates may send a request to admin@xeniamilano.com.

Complaint to the Supervisory Authority: Without prejudice to any other administrative or judicial remedy, data subjects who believe that the processing concerning them violates the GDPR have the right to lodge a complaint with the Italian Data Protection Authority: www.garanteprivacy.it

10. Updates to this notice

This privacy notice may be updated to reflect regulatory or organizational changes. In case of substantial changes, Xenia S.r.l. will inform candidates through appropriate means. We recommend periodically checking this page.