Complete privacy policy for Job Applicants

Valmet Tissue Converting S.p.A.

Who are we and what do we do with your personal data?

The company Valmet Tissue Converting S.p.A., with its registered office in 55100 Lucca (LU), Via Giovanni Diodati 50 (hereinafter also the "Data Controller"), as Data Controller will see to the confidentiality of your personal data and guarantee its necessary protection from any event that could put it at a risk of violation. The Data Controller applies policies and practices concerning the collection and use of personal data and the exercise of the rights recognized by the applicable legislation. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever it becomes necessary and in any case whenever regulatory and organizational changes that may affect the processing of your personal data arise.

The Data Controller has appointed a Data Protection Officer (DPO) that you can contact if you have questions about the policies and practices adopted. The contact details of the Data Protection Officer are as follows:

How does the Data Controller collect and process your data?

The Data Controller collects and/or receives information about you, such as:

  • name, surname
  • date and place of birth
  • gender
  • fiscal code
  • images/videos
  • email
  • telephone number
  • address o data concerning the state of health if the interested person belongs to protected categories.

Your personal information will be processed for the following purposes:

1) Personnel selection and/or starting a collaboration


  • the search for candidates for open positions
  • the collection of applications and curricula which can be done through: personnel
  • recruitment ads through recruitment agencies, work temp agencies, universities, advertisements in newspapers, magazines, specialized publications, Institutional websites
  • the examination of the curricula received
  • the organization of selective interviews
  • the establishment of the employment and/or collaboration relationship.

Legal basis

Execution of pre-contractual activities

Fulfilment of specific obligations

Execution of specific tasks deriving from laws, regulations or collective agreements, including corporate ones, in particular for the purpose of establishing the employment and/or collaboration relationship

Your personal data is also collected from third parties such as, by way of example:

  • IT service provider;
  • agencies providing staff leasing, intermediation, personnel recruitment and selection,
  • training and support activities for professional relocation;
  • universities and schools.

Where applicable, the right to rectify data processed or collected remains unaffected.
The data collected or otherwise obtained by the Data Controller as a result of the selection process for positions available within his organization, except for those relating to health, voluntarily submitted by you, is considered necessary and failure to provide it will make it impossible for the Data Controller to carry out activities relating to the main processing:

  • to evaluate your application in the process of personnel selection carried out by the Data Controller also through its suppliers (third parties/recipients);
  • to manage the personnel selection process in all its phases and for the obligations resulting from it.

2) for the communication to third parties and the dissemination

Communication to third parties, such as

  • Agencies providing staff leasing, intermediation, personnel recruitment and selection, training and support activities for professional relocation
  • Information society and IT support companies
  • Companies of the Group for administrative purposes
  • Public and private bodies

Legal basis
Execution of pre-contractual activities

Fulfilment of legal and / or regulatory obligations dependent on the activities carried out with the selection process
The Data Controller does not transfer your personal data abroad (non-EU countries). Your personal data will not be in any way disseminated or disclosed to unspecified subjects not even identifiable as third parties.

The communication concerns the categories of data whose transmission is necessary for the performance of the activities and purposes pursued by the Data Controller in the management of personnel selection. The related processing does not require the consent of the interested party in the event that it takes place to fulfil the obligations deriving from the established relationship or if other exclusion hypothesis occurs (in particular the traceability of a legitimate interest by the Data Controller), expressly provided for or dependent on the legislation and regulations applied by the Data Controller, or even through third parties identified as data processors. Where the communication involves data relating to the state of health, the processing operations will be carried out with all the necessary assurances including those that, if requested based on the risks identified, determine the application of pseudonymisation solutions, and / or aggregation and / or encryption of data.

3) for IT security activities

control and monitoring of the services displayed on the network and on the platforms pertaining to the Data Controller and made available to you for sending curriculum and / or for accessing an open job / collaboration positions
implementation of the detection and notification of personal data violation (data breach)

Legal basis
Access to the selection procedure

Fulfilment of legal obligations (detection and notification of data breach events)

Legitimate interest

How, where and for how long is your data stored?

The data processing is performed through paper supports or IT procedures by specially authorized internal subjects. Such internal subjects are allowed access to your personal data to the extent that it is necessary to carry out the processing activities that concern you.
The Data Controller periodically checks the tools by means of which your data is processed and its security measures, which it constantly updates; it makes sure, also through the subjects authorized to process the data, that personal data for which processing is not necessary or whose purposes are exhausted, is not collected, processed, stored or retained; it makes sure that the data is retained with the guarantee of integrity and authenticity of its use for the purposes of the processing actually carried out, also due to the particular nature of the data. The verification allows the Data Controller to evaluate the strict relevance, non-excess and indispensability of data belonging to special categories with respect to the selection procedure and the relationship to be established, also with reference to the data you provide on your own initiative.

The Data Controller guarantees that the data, even after the verifications, are found to be excessive or irrelevant will not be used except for the possible retention, according to the law, of the deed or document that contains them.

The data is stored in paper, computerized and software files located within the European economic border, and adequate security measures are ensured.

For how long
Personal data is retained for the time necessary to carry out the activities that concern you.

In particular:

  • Identifying data
  • Curriculum data
  • Data revealing the state of health even if spontaneously submitted

Duration of the contractual relationship Without prejudice to:

  • the limitation of the processing and other guarantees provided for data belonging to particular categories -the cancellation of personal data collected through Curriculum vitae sent spontaneously or in the absence of an open position;
  • the interest of the Data Controller to keep the data, even those spontaneously submitted by you, for the time needed to evaluate the application also for future employment/collaboration relationships and in any case up to a maximum of 180 days.
  • the establishment of the employment and/or collaboration relationship.

Except in the event of litigation if it involves an extension of the aforementioned terms, for the time necessary to pursue the related purpose.

Electronic data

The duration of the storage depends on the presumed and / or detected risk and the prejudicial consequences that derive from it, without prejudice to the measures to make the data anonymous or to limit its treatment.
In any case, the data must be kept (with effect from the knowledge / detection of the hazard event or data breach) for the time necessary to notify the authority of the violation of the data detected through the procedures implemented by the Data Controller and in any case take remedial actions.
Once all the purposes that legitimize the retention of your personal data are exhausted, the Data Controller will take care of deleting it or making it anonymous.

What are your rights?

The rights that are recognized to you allow you to always have control of your data. Your rights are the following:

  • access;
  • correction;
  • revocation of consent;
  • cancellation;
  • treatment limitation;
  • opposition to treatment;
  • portability.

In substance, at any time and as long as the processing continues, free of charge and without any special charges or formalities for your request, you can:

  • obtain confirmation of the processing carried out by the Data Controller;
  • access your personal data and know its origin (when the data is not obtained directly from you), the purposes and the scopes of the processing, the data of the subjects to whom it may be disclosed, the period of retention of your data or the criteria used to determine it;
  • update or rectify your personal data so that it is always accurate and correct;
  • withdraw consent at any time, if this constitutes the basis of the processing. In any case, the revocation of the consent does not affect the lawfulness of the treatment based on the consent before the revocation;
  • delete your personal data from the databases and/or files, including backup files, of the Data Controller, if, among other things, it is no longer necessary for the purposes of the processing or if this is deemed unlawful, and provided that the conditions laid down by law are met; and in any event if the processing is not justified by another equally legitimate reason;
  • restrict the processing of your personal data in some circumstances, for example if you have contested its accuracy, for the period required for the Data Controller to check its accuracy. You must also be informed, in reasonable time, of when the period of suspension has ended or the cause of the restriction of processing has ceased to exist, and therefore the restriction itself withdrawn;
  • obtain your personal data, if its processing is carried out on the basis of a contract and with automated tools, in electronic format also in order to transmit it to another data controller.

The Data Controller must do so without delay and, in any case, at the latest within one month of receipt of your request. The time limit can be extended by two months, if necessary, taking into account the complexity and the number of requests received by the Data Controller. In such cases, the Data Controller will have to inform you of the reasons for the extension within one month of receipt of your request.

For any further information and to send your request, write to the email address

How and when can you oppose the processing of your personal data?

For reasons relating to your specific situation, you may oppose at any time the processing of your personal data if this is based on legitimate interest, by sending your request at the email address

You have the right to have your personal data deleted if there is no legitimate reason overriding the one that gave rise to your request.

Who can you complain to?

Without prejudice to any other administrative or judicial action, you may submit a complaint to the competent supervisory authority, unless you reside or work in another Member State. In the latter case, or where the breach of the data protection legislation occurs in another EU country, the authority to receive and hear the complaint will be the supervisory authority established therein.

Any update of this privacy policy will be communicated to you in a timely manner and by appropriate means and you will also be informed before carrying it out and in time to give your consent if necessary.