APPLICANT NOTICE

Last update and effective date: December 2025 

 

1. Introduction

Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 (hereinafter, the “Regulation“), we wish to inform people who come into contact with  Sisal group (the “Group“) for the purposes of establishing an employment relationship, for example by sending aspontaneous application or by responding to recruitment advertisements published on the Group’s or Third Parties’ websites, or who are contacted for the  recruitment purposes (hereinafter, the “Applicants” or the “Data Subjects“), that their personal data (the “Data” or their “Personal Data”) will be processed lawfully, correctly and transparently, in light of the following terms and purposes.

 

2. Data Controller

In relation to the position for which Applicants is applying, The Data Controller (the “Data Controller” or the “Society”) is a Sisal Group’s company as listed below:

1)        Sisal S.p.A.

2)        Sisal Italia S.p.A.

3)        Sisal Gaming S.r.l

4)        TSG Italy S.r.l.

5)         Snaitech S.p.A.

6)        Epiqa S.r.l.

7)        SNAI Rete Italia S.r.l.

8)        Snaitech Smart Technologies S.r.l.

9)        U4Line S.r.l.

10)     Fondazione Snaitech

Such companies have their registered office at Via Ugo Bassi 6, 20159 – Milano. Data Controllers mentioned at point 1), 2) and 3) above can be reached at the email address privacy_sisal@legalmail.it; data controller mentioned at point 4) above ca be reached at privacy_pokerstarsita@legalmail.it; companies referred to points no. 5), 6), 7), 8), 9) and 10) can be contacted at the PEC address privacy_snai@legalmail.it

In the case of spontaneous application not directed to a specific position, the Data Controller is Sisal S.p.A., as identified above.

 

3. Data Protection Officer

The Data Controller appointed a Data Protection Officer (“DPO”) who can be contacted at the following email address: dpo@fluttersea.com.

 

4. Source of personal data

The personal data to be processed by the Data Controller may be acquired, also through the remote communication techniques used by the Data Controller (e.g., websites, apps, etc.):

· Directly from the Data Subject who responds to recruitment advertisements, including those published on websites, or when the Data Subject sends his/her application spontaneously, as well as within the selection phase;

· By third parties who are not the Data Subject and who notify the Data Controller a candidate fitting the job purpose, such as head hunters, recruitment and selection companies or other employees or partners of Sisal Group, for example as part of the Referral Program. In this case, some of the Data Subject’s Personal Data may be acquired in advance from the reporting employee in order to establish communication with the candidate.

 

5. Purpose and legal basis of the processing

The Company processes the Data Subject’s personal data in the context of personnel search and selection procedures, or to verify the conditions for recruitment and/or for starting a collaboration. The legal bases of these processing are:

1) the execution of pre-contractual measures adopted at the Data Subject’s request, necessary to i. identify suitable candidates through its employees or collaborators (including under the Referral Program) and ii. possibly establish an employment contract or another type of collaboration with the Data Subject;

2) compliance with the legal obligation aimed at verifying the existence of any conflicts of interest, also in order to meet international standards in this area and maintain the certifications held by the Group companies.

 

6. Categories of data processed

To pursue the above purposes, the following categories of personal data will be processed: personal and contact detail (e.g., name, surname, tax code and VAT number, professional address and professional telephone number, studies, profession and sector); personal data contained in identification documents (e.g., identity card, driver’s license, passport, residence permit); data relating to current employment work (annual gross salary); particular data (e.g., health data). Please notice that the processing of particular data is allowed to fulfill the obligations and exercise the specific rights of the Data Controller or of the Data Subject in the field of Labor Law and Social Security and Social Protection, if is authorized by the Union Law or the Member States Law or by a collective agreement under the law of the Member States, subject to appropriate safeguards for the fundamental rights and interests of the Data Subject. Furthermore, these categories of data are processed exclusively by the personnel of the Data Controller who need to process them due to their duties or hierarchical position within the organizational unit responsible for the management of human resources.

Where necessary, for the pursuit of the aforementioned purposes, Data may also concern other subjects related to the Data Subject (e.g., family members, etc.): in this case, the Candidate undertakes, under his/her sole responsibility, to transfer this privacy policy to such subjects, any liability of the Data Controller is excluded.

 

7. Processing MeansMethods

The processing of personal data takes place using manual, automated and telematics tools, with logic strictly related to the purposes indicated above and, in any case, in compliance with guarantees and necessary measures prescribed by the applicable legislation and aimed at ensuring the confidentiality, integrity and availability of personal data, as well as avoid damage tangible or intangible (e.g. loss of control of personal data or limitation of rights, discrimination, identity theft, financial loss, unauthorized decryption of pseudonymized data, loss of reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social damage).  The collection of personal data may occur through the use of the contact channels made available by the Data Controller, which may also require the creation of an account

 

8. Communication and dissemination

To pursue the above purposes, the Data Controller reserves the right to communicate personal data:

• other group companies of which the Data Controller is a part, or in any case parent companies, subsidiaries or affiliates, pursuant to art. 2359 c.c. (based in Italy or abroad), in the context of the existing intercompany agreements for the management of the activities referred to in the aforementioned purposes;

• subjects that provide services for the management and hosting of the information system of the Data Controller (e.g., mailing services)

• subjects that carry out control, audit and certification of the activities carried out by the Data Controller;

•  subjects that carry out head haunting and personnel recruitment;

•  Professional firms that carry out assistance and consultancy (e.g., accounting firms, law firms, etc.);

•  subjects that carry out receptionist services

•  subjects that carry out printing, bagging, transmission, transport and sorting of communications;

•   subjects who in various ways can succeed the Data Controller in the ownership of legal relationships (e.g., assignees of goods, credits or contracts).

The subjects listed above operate independently as Data controllers or as Data Processor based on specific legal act compliant with art. 28, paragraph 3, of Regulation. The updated list of data processors of the companies mentioned at point 1), 2) and 3), section 2 above is available by submitting a request to privacy_sisal@legalmail.it; the updated list of data processors of company mentioned at point 4), section 2 above is available by submitting a request to privacy_pokerstarsita@legalmail.it,  the updated list of Data Processors appointed by the companies referred to in points 5), 6), 7), 8), 9) and 10) in paragraph 2 above is available upon request at the PEC address privacy_snai@legalmail.it. Personal data may also be known by the staff in relation to the performance of the tasks assigned. Personal data will not be disseminated and, therefore, will not be brought to the attention of indeterminate subjects, in any form.

 

9. EXTRA-UE transfer of Data

Personal Data may be transferred to Parties located in countries outside the European Union which cooperate with the Data Controller to pursue the above purposes. Data transfer will take place only against the existence of international agreements or adequacy decisions by the EU Commission (Article 45 of the Regulation) or against the stipulation of Binding Corporate Rules (“BCR” pursuant to Article 47 of the Regulation) or in any case on the basis of other appropriate guarantees that guarantee the personal data transferred an adequate degree of protection pursuant to art. 46 and art. 49 of the Regulation. A copy (or an extract) of the guarantees adopted for the transfer as well as the list of third countries / international organizations to which the personal data have been transferred, may be requested at the certified e-mail address privacy_sisal@legalmail.it for companies mentioned at point 1), 2) and 3), section 2 above or at privacy_pokerstarsita@legalmail.it for company mentioned at point 4), section 2 above  or at the PEC address privacy_snai@legalmail.it for the companies referred to in points 5), 6), 7), 8), 9) and 10).

 

10. Data Retention

The Data processed for the above-mentioned purpose will be retained by the Data Controller for a maximum of 36 months from the closure of the evaluation process with a negative outcome (rejection of the application), without prejudice to any further retention following the establishment of an employment relationship with the Data Subject. In the case of processing carried out for the management of complaints or grievances, for the exercise of a right in judicial proceedings, or to comply with legal obligations, such periods may be extended until the complaint or grievance has been resolved, any judicial procedure has been concluded, or the legal obligation has expired. Once these periods have elapsed, the Controller will proceed with the automatic deletion of the collected Data or their irreversible anonymization. In the case of use through an account, the account will be deactivated following a request from the Data Subject or after 12 months from the last use by the latter.

 

11. Data Subject Rights

The rights referred to in Articles from 15 to 22 of the Regulations are guaranteed. In particular, the Data Subject can obtain: a) confirmation of the existence of personal data processing concerning him and, in this case, access to such data; b) the correction of inaccurate personal data and the integration of incomplete personal data; c) the deletion of personal data concerning him, in cases where this is permitted by the Regulation,  If an account is present, the Data Subject also has the option to request its closure; d) the limitation of processing, in the cases provided for by the Regulation; e) the communication, to the recipients to whom the personal data have been transmitted, of requests for rectification / cancellation of personal data and for the limitation of processing received by the Data Subject, unless this proves impossible or involves a disproportionate effort; f) the receipt, in a structured format, commonly used and readable by an automatic device, of the personal data provided to the Data Controller, as well as the transmission of the same to another data controller,  where the conditions set out by law are met (so-called data portability). The Data Subject also has the right to object at any time, for legitimate reasons, to the processing of personal data concerning him, even if pertinent to the purpose of the collection, without prejudice to the case in which the Data Controller demonstrates the presence of overriding legitimate reasons or the exercise or defense of a right pursuant to art. 21 of the Regulation. The Data Subject also has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person in a similar way, unless this decision: a) is necessary for the conclusion or execution of a contract between the interested party and the Data Controller; b) is authorized by the law of the Union or of the Member State to which the Owner is subject; c) is based on the explicit consent of the interested party. In the cases referred to in the aforementioned letters a) and c), the Data Subject has the right to obtain human intervention from the Data Controller, to express their opinion and to contest the decision. The Data Subject may submit requests to the address privacy_sisal@legalmail.it for applications submitted to companies mentioned at point 1), 2) and 3), section 2 above of this privacy notice or to address privacy_pokerstarsita@legalmail.it  for applications submitted to company mentioned at point 4), section 2 above  or at the address privacy_snai@legalmail.it in the case of applications submitted to the companies referred to in points 5), 6), 7), 8), 9) and 10) by indicating in the subject “Privacy – exercise of privacy rights”, detailing which right he intends to exercise and providing the Data Controller with the information needed to identify him pursuant to articles 11 and 12 of the Regulation. The Data Subject also has the right to lodge a complaint with the supervisory authority, in particular in the Member State in which he habitually resides, works or in the place where the alleged violation for which the complaint is submitted has occurred (e.g., the Garante per la protezione dei dati personali in Italy), as required by art. 77 of the Regulation, as well as to take the appropriate judicial offices pursuant to art. 78 and 79 of the Regulation.

The exercise of rights is not subject to any formal requirements and is free of charge. If the Data Subject’s requests are manifestly unfounded or excessive, in particular due to their repetitive nature, the Controller may:

–  charge a reasonable fee taking into account the administrative costs incurred to provide the information or communication or to take the requested action; or

–  refuse to comply with the request.

In accordance with Article 12(3) of GDPR 2016/679, the Data Controller shall provide a response to the Data Subject without undue delay and, in any case, no later than one month from receipt of the request. This period may be extended by two months, if necessary, taking into account the complexity and number of requests (in such case, the Data Controller shall inform the Data Subject of the extension and the reasons for the delay within one month of receipt of the request).

 

12. Nature and obligation of the conferment

The provision of personal data is not mandatory. However, failure to provide them will make it impossible for the Data Subject reply to job advertisements, submit a spontaneous application as well as to take part in the personnel selection process aimed at recruitment and/or the start of collaboration.

 

13. Update of the Privacy Policy

The Data Controller reserves the right to periodically update the content of this page. The Data Subject is therefore invited to periodically consult the information contained herein to stay updated with respect to any changes that have occurred since the last consultation.