Policy on the processing of candidates' personal data (“Policy”) pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (“GDPR”).

1. Data Controller and Data Protection Officer 

The Data Controller is Ersel Banca Privata S.p.A., with registered office in Piazza Solferino, 11 - 10121 Turin, in the person of its legal representative pro tempore (hereinafter “Ersel” or the “Data Controller”).

To exercise your rights, listed in Article 6 below, as well as for any other request relating to them and/or to this Policy, you may contact the Data Controller at the following addresses:

The Data Controller has appointed a Data Protection Officer (“DPO”) pursuant to Article 37 of the GDPR, whom you may contact to exercise your rights and receive any other information relating to your rights and/or this Policy, by writing to

2. Personal data processed

For the purposes set out in Article 3 below, the Data Controller shall process your personal data directly provided by you, including through the dedicated areas on the Data Controller's website, or collected from third parties (e.g. social networks or other recruiting portals) such as, by way of example:

  • personal and contact details;
  • data on your educational qualification and professional qualification;
  • data on your marital status and family situation; 
  • financial data (e.g. your income);
  • data of a special nature pursuant to Art. 9 of the GDPR, if you include them in your curriculum vitae (such as, for example, your membership of protected categories).

3. Purposes of processing and legal basis 

Personal data will be processed by the Data Controller for the purpose of carrying out the personnel selection process, including but not limited to, receiving and registering your curriculum vitae in the Data Controller's databases, assessing the information contained in your curriculum vitae in order to determine your potential suitability for the establishment of an employment relationship with the Data Controller, arranging interviews and related tasks.  

The legal basis for the processing of your data is the performance of activities of a pre-contractual nature at the request of the data subject, pursuant to Article 6(1)(b) of the GDPR; therefore, your consent is not required to authorise processing.

Your personal data of a special nature pursuant to Art. 9 of the GDPR, where you voluntarily include them in your curriculum vitae, will be processed by the Data Controller only where strictly necessary for the personnel selection process and, in any case, subject to your explicit consent pursuant to Art. 9(2)(a) of the GDPR.

4. Nature of provision, data retention period and processing methods

For the purpose set out in Article 3 above, the provision of your personal data of a common nature is mandatory; your refusal to provide such data will make it impossible for the Data Controller to assess your application during the selection process.

Failure to provide your special data or to give your explicit consent for their processing will prevent the Data Controller from considering and assessing such data in connection with the personnel selection process.

For the purpose set out in paragraph 3 above, your personal data will be kept for 12 months from the end of the selection process, subject to contractualisation of the employment/contracting relationship and consequent storage for the time related thereto.

Processing is carried out in compliance with the requirements of the GDPR, according to the principles of fairness, lawfulness and transparency and the protection of your rights as described therein. The personal data shall be processed through the use of electronic, telematic and paper media, subject to security measures suited to ensuring the privacy of the personal data and preventing undue access by unauthorised entities. 

The Data Controller shall not carry out any automated decision-making processes on your personal data, including profiling as referred to in Article 22(1) and (4) of the GDPR.

5. Disclosure of data

For the pursuit of the purposes described in Article 3 above, the personal data processed will be known to the employees, assimilated personnel and contractors of the Data Controller, who will act as authorised entities for the processing of personal data. 

Furthermore, your personal data may be processed by third parties belonging, by way of example, to the following categories:

  • service providers for the management of IT systems;
  • providers of legal and consulting services; 
  • personnel selection agencies;
  • other service providers;
  • companies belonging to the Group to which the Data Controller belongs, for the performance of instrumental activities connected with or supporting that of the Data Controller.

The entities belonging to the above-mentioned categories operate, in some cases, as data controllers specifically appointed by the Data Controller in compliance with Article 28 of the GDPR, and in other cases completely autonomously as separate data controllers, it being understood that, in the latter case, the communication of your personal data to such autonomous data controllers would take place solely to pursue the purposes set out in Article 3 above.

The complete and updated list of the entities to which your personal data may be disclosed can be requested by contacting the Data Controller at the address indicated in Article 1 of this Policy. 

Your personal data will not be disseminated.


6. Transfer of personal data outside the European Union

The Data Controller does not intend to transfer your personal data outside the European Union. 

Should such a circumstance become necessary for technical and organisational reasons, such a transfer will in any case be preceded by prior verification of satisfaction of the conditions of legitimacy and of the appropriate guarantees prescribed by Articles 44 et seq. of the GDPR. In such a circumstance, you may request information from the Data Controller about the transfer of your personal data outside the European Union and obtain a copy of the protection measures adopted by making a specific request to the Data Controller via the e-mail address


7. Data subjects' rights

In relation to the processing described in this Policy, as data subject, you may, under the conditions set out in the GDPR, exercise the rights set out in Articles 15 - 21 of the GDPR, in particular: 

  • right of access: the right to obtain confirmation as to whether or not personal data concerning you are being processed and, if so, to obtain access to your personal data – including a copy thereof – and communication of, inter alia, the information referred to in Article 15 of the GDPR;
  • right of rectification: the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you and/or the integration of incomplete personal data pursuant to Article 16 of the GDPR; 
  • right to erasure (right to be forgotten): the right to obtain, without undue delay, the erasure of personal data concerning you, in the cases referred to in Article 17 of the GDPR; the right to erasure does not apply to the extent that the processing is necessary for the performance of a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise or defence of legal claims;
  • right to restriction of processing: the right to obtain restriction of processing, in the cases indicated in Article 18 of the GDPR;
  • right to data portability: the right to receive, in a structured, commonly used and machine-readable format, personal data concerning you provided to the Data Controller and the right to transmit them to another data controller without hindrance, where the processing is based on consent and is carried out by automated means, in accordance with Article 20 of the GDPR. Furthermore, the right to have your personal data transmitted directly by the Data Controller to another data controller if this is technically feasible;
  • right to object: the right to object to the processing of personal data concerning you, unless there are legitimate grounds for the Data Controller to continue the processing, pursuant to Article 21 of the GDPR;  
  • right to revoke consent at any time without prejudice to the lawfulness of the processing based on the consent given before revocation;
  • right to lodge a complaint with the Personal Data Protection Authority, Piazza Venezia n. 11, 00187, Rome (RM).

The above-mentioned rights may be exercised vis-à-vis the Data Controller by contacting the points of contact indicated in Article 1 above. The Data Controller will take charge of your request and provide you with information on the action taken in respect of your request without undue delay and, in any event, no later than one month after receipt thereof.

The exercise of your rights as data subject is free of charge pursuant to Article 12 of the GDPR. However, in the case of requests that are manifestly unfounded or excessive, including by reason of their repetitiveness, the Data Controller may charge you a reasonable fee, in the light of the administrative costs incurred in handling your request, or refuse to grant your request. 

Finally, please be advised that the Data Controller may request further information necessary to confirm the identity of the data subject. 


The Holder
Ersel Banca Privata S.p.A.


Questa schermata consente al tuo monitor di consumare meno energia quando il computer resta inattivo.

Clicca in qualsiasi parte dello schermo per riprendere la navigazione.