Who does the data processed by FourStars refer to?
For its type of business, FourStars must process the data of many different subjects. The information provided is mainly addressed to three main categories of subjects:

• Client Companies (or prospects);
• Users of the services, i.e. Candidates or Trainees;
• Any third party, not falling into the two previous categories. Third parties refer to those subjects who simply wish to browse our site or who wish to leave a comment on our blog, without us providing any specific service to them.

What data is processed?
For the provision of the requested services, FourStars must necessarily process institutional information of the Client Company, personal data of the company contacts and personal data of the Candidate/Trainee. In addition to the data provided by filling out forms, the navigation data such as IP addresses or domain names of the computers used by the users who connect to the site, addresses in URI (Uniform Resource Identifier) notation of the requested resources, time of the request, the method used to submit the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and any other parameter relating to the operating system and of the user’s computer.

In detail: What data and information relating to the Company is processed?
With respect to the Company, only the information that is strictly necessary for the provision of the service, such as:

• Business name;
• Legal and/or operational Headquarter;
• Contacts (pec, phone, e-mail, etc.);
• Legal representative’s personal data;
• Necessary codes for electronic invoicing;
• The necessary information to provide the service required in the contract. For example:
  -> for an internship activation, the following will be required:
  - Number of employees at the site in which the internship has to be activated;
  - opening hours and days;
  - ATECO/ISTAT codes;
  - applied CCNL;
  - Pat INAIL;
  - Any internships activated at the company;
  - personal data of the company tutor, including contacts, seniority, experience, and CV;
  -> for the scope of recruitment and selection processes, specific details will be requested to define the profile that will be searched for.

For the provision of services, therefore, information that can be classified as confidential is not treated, since it is mostly institutional information, available at the Chamber of Commerce or on the company’s website itself.

In detail: what data and information relating to the Candidate/Trainee is processed?
The candidate who registers on the platform looking for job offers or similar, will be able to insert his/her personal details and data, keeping in mind that the more information they provide, the easier it will be to find offers aligned to their profile. With reference to the subject about to start an internship, all data and information required under the legislation governing internships must be processed. Without the necessary information, FourStars will not be able to complete the activation procedure. FourStars will process the following data:

• Personal;
• Contacts;;
• CV (previous work experience or similar, trainings...)
• Unemployment certificate;
• Any previous experience in the company to verify that the role is aligned to the training project;
• Company tutor’s assessment;

But also:

• Data relating to the residence permit or citizenship, necessary to activate an internship in favor of a person with non-Italian citizenship;
• Data relating to health, necessary (ATTENTION: only medical certificates relating to the duration of the prognosis, without the need for the results of individual tests. Any additional documents will be requested directly by INAIL, the competent body.);
• Health data (ATTENTION: prognosis only, without the need to indicate the diagnosis), necessary to handle the recovery from an illness suspension.
• Data related to pregnancy, in order to proceed with the suspension of the internship due to mandatory maternity leave;
• Health data, necessary for the activation and management of internships for people with disabilities;
• Data related to citizenship, judicial situation, etc., necessary for the activation of internships in favor of the so-called Disadvantaged people.

These data are processed on the basis of specific legal obligations related to internships, labor law, tenders, projects or similar with the intent of creating social inclusion. PLEASE REMEMBER to transmit only the data that is strictly required.

In detail: what data and information relating to third parties is processed? For what purposes?
With reference to these subjects, navigation data may be processed through cookies (please refer to the appropriate section). This data is not stored if not in an aggregate form and for purely static, performance purposes, of our channels. To put forth a question on our blog, we ask for the user’s email, which will be used by FourStars to contact the user should the user himself ask to be contacted. Users are reminded that our response on the blog has no information which can make the user visible or recognizable. Users are invited NOT TO INDICATE any personal data in their question that would make them recognizable (eg. Tax codes, telephone numbers, emails, etc.):in the event that such data were to be indicated, we will delete them before publishing the response.

What is the purpose of the data of the companies processing?
The data related to the Companies are taken by the Data Controller for:

• Commercial and contact purposes with the client, on the basis of the interest shown by the client himself through the filling out of the form, signing up to specific initiatives, phone contact or via email or more generally the request of information and/or informative material, based on pre-contractual measures between the client and FourStars
• The provision of specific services, based on the existing contract between the client and FourStars, pre-contractual agreements, or on the basis of the user’s consent. Please note that to be able to use the services provided by FourStars, the user must register on the platform.
• Allow the client to receive informative material via email, such as regulatory updates, news on FourStars services, promotional information, and/or articles related to our blog on the working world and internships (newsletter). The processing is carried out on the basis of the client’s consent, expressed at the time of registration and based on the legitimate interest on behalf of the Data Controller. Please remember that it is always possible to manage preferences with regards to the information material one receives.
• Allow the Client to download or send informative material (eg. Guides) made available on the website by the Owner; based on the consent of the client himself, expressed through a specific request made by the user.
• Allow clients to participate to FourStars activities such as webinars, on the basis of the client’s consent who registered to take part to the initiative.
• Answer the client’s requests received through the voluntary sending of emails at the email addresses shown in this website or on forms of the same website or over the phone. The processing of the data collected is based on the contract, the precontractual agreements, or on the very consensus given by the client himself.
• Manage and organize the activity of the Data Controller, on the basis of the legitimate interest of the Data Controller, to extract statistics or studies relating to the specific sector of activity.
• Allow the Owner to receive feedback on the services provided, through customer care questionnaires, based on the legitimate interest of the Owner and the obligation to involve users in quality processes.
• Please note that filling out forms is always optional and that a refusal does not make it impossible to access FourStars services.
• Fulfill any legal obligations;
• Allow the exercise/defense of the Owner’s rights, including any legal action, lawsuit, or communication to the competent Authorities, should the user have committed criminal activities, by means of FourStars tools.

What purposes are the data of Candidates/Trainees processed for?
To allow the Candidate/Trainee to apply for a job or internship and any subsequent follow-up or interview, based on the consent given by the Candidate during the application. Job posts are published on the FourStars platform, where the candidate can, after registering, propose his candidacy. The job posts are also published on social networks and other sites: the Candidate that wants to apply will be redirected to the FourStars platform or receive invitations to register on the FourStars platform.

• Allow the activation and management of an internship (funded or not funded) or other active employment policy projects. The promoting Body (FourStars) contacts the applicant based on the data provided by the company that selected the trainee or directly provided by the Promoting Body. Please note that during the internship period, the trainee can be contacted by telephone or by email and that, in any case, registration on the platform, an online management tool of the practice, may be required. By registering on the platform, the trainee will always have access to the documents of his internship, be able to return the necessary documents and proceed with filling them out online.
• Commercial and contact purposes with the client, on the basis of the interest shown by the client himself through the filling out of the form, signing up to specific initiatives, phone contact or via email or more generally the request of information and/or informative material, based on pre-contractual measures between the client and FourStars.
• The provision of specific services, based on the existing contract between the client and FourStars, pre-contractual agreements or on the basis of the user’s consent. Please note that to be able to use the services provided by FourStars, the user must register on the platform.
• Allow the client to receive informative material via email, such as regulatory updates, news on FourStars services, promotional information, and/or articles related to our blog on the working world and internships (newsletter). Processing is carried out on the basis of the client’s consent, expressed at the time of registration and based on the legitimate interest on behalf of the Data Controller. Please remember that it is always possible to manage preferences with regards to the information material received.
• Allow the Client to download or send informative material (eg. Guides) made available on the website by the Owner; based on the consent of the client himself, expressed through a specific request made by the user.
• Allow clients to participate to FourStars activities such as webinars, on the basis of the client’s consent who registered to take part to the initiative.
• Answer the client’s requests received through the voluntary sending of emails at the email addresses shown in this website or on forms of the same website or over the phone. The processing of the data collected is based on the contract, the precontractual agreements, or on the very consensus given by the client himself.
• Manage and organize the activity of the Data Controller, on the basis of the legitimate interest of the Data Controller, to extract statistics or studies relating to the specific sector of activity.
• Allow the Owner to receive feedback on the services provided, through customer care questionnaires, based on the legitimate interest of the Owner and the obligation to involve users in quality processes.
• Please note that filling out forms is always optional and that a refusal does not make it impossible to access FourStars services.
• Fulfill any legal obligation;
• Allow the exercise/defense of the Owner’s rights, including any legal action, lawsuit, or communication to the competent Authorities should the user have committed criminal activities, by means of FourStars tools.

Is the provision of data mandatory?
The provision of data is mandatory if so required by the legislation applicable in the specific sector: failure to provide the data makes it impossible to complete the operations to activate the service. Without prejudice to the processing of navigation data that occurs automatically, the user is free to provide his personal data in the appropriate request forms to request the dispatching of informative material or other communications. When filling in the forms, except for when the fields are marked as mandatory with an asterisk, the user is free to provide their data. Failure to provide such data may make it impossible to obtain what is requested.

How is data and information processed by the FourStars platform?
Data processing is mainly carried out through a digital platform available online, entirely created by FourStars, which allows the exchange of information and documents between the parties to obtain the service required. The use of the platform by the user does not imply the acquisition of any license. Any liability arising from an improper use of the platform by the user is excluded.
Except for cases in which there were specific agreed upon exceptions, user data is entered by the user himself, who ensures, under his sole responsibility, completeness and truthfulness. Where possible, to help out in the filling out of forms, to avoid mistakes, the platform provides specific options to select from. The data entered can be modified at a later date, except in the case in which the documents generated following the compilation are formalized/ and or communicated to the competent subjects. Access to the platform takes place, after registration, with personal credentials: a username that is created by the platform and a personal password, kept by the user himself.
By registering to the platform and using the service, the user accepts and is aware that the operations performed may be monitored by FourStars. In fact, to be able to guarantee the service, the performance of its institutional purposes, and for control and maintenance needs, the data entered by users must necessarily be visible to FourStars. Access by FourStars staff, based on the area of competence within the company, will take place through personal credentials. Individuals with access privileges and system administrators are identified upstream, under direct supervision of the Management.
No type of connection/ access to the user’s system through the platform is carried out.

Implementation and update of the platform takes place regularly, especially due to the regulatory changes that govern the services offered by FourStars. The platform is available online and the servers are located in Italy, at FourStars headquarters and at FourStars’ IT partner. The servers are equipped with physical measures aimed at limiting access by unauthorized persons, and subject to automatic vulnerability tests, regularly carried out, in order to assess their security. There is a back-up system to preserve data, as well as a firewall and malaware system. Data are not transferred outside the EU and are not disclosed if not for necessary communication required by sector legislation.
The data in paper format is stored in a special archive, accessible only to personnel in charge and subjected to FourStars surveillance.

Services provided and carried out by third parties qualified as “Data Processors"
In addition to its own platform, FourStars uses services provided by third parties. In particular:

• Electronic invoicing system.
• Performance analysis systems for our channels, to obtain statistics, and to send questionnaires;
• Archive system for emails sent by FourStars;
• Services for sending emails, newsletters and marketing;
• Social media channels;
• Platform for the execution of webinars.

FourStars services provided by third parties, qualified as independent Holders.
To allow the client to pay by credit card, FourStars has entered into an agreement with a specific service company in Italy. The credit card details are communicated directly by the Client to the Company, by filling in the form on the Company’s website, and are not processed by FourStars. For information on the processing of the data by the third party, please refer to the website.

Who can come into contact with the data? Who is the Data communicated to?
As part of the services provided by FourStars, the aforementioned personal data of Client Companies, Candidates/Trainees (and third party users, where necessary) are processed by FourStars staff specifically appointed, based on their role.
The same data may also be processed, on behalf of and on instruction of FourStars, by parties who are external to the organization, the so-called “Data Processors” (such as IT consultants, IT maintainers, shippers, service companies, etc.)
FourStars, may also, in relation to the aforementioned purposes, need to communicate data to the competent authorities and bodies (for eg. Employment centers, INAIL, ITL, Regions, etc.). Any communication to the latter subjects, who operate as “independent data controllers”, may take place with the user’s consent, based on the fulfillment of the contract between the parties, based on the fulfillment of a legal obligation or a specific request from the Judicial or Public Security Authority or the need to exercise/defend a right.
Outside of these cases the data processed through the web will not be communicated or disseminated.

How long is the data stored for?
The conservation of the documentation relating to the internships is a specific part of the obligations FourStars has, as an activating body. No cancellation requests made if contrary to what is indicated by the regulations, will be taken into consideration.
In case of absence of specific regulations and in the absence of a legitimate interest by FourStars to conserve the documentation, the documentation will be kept in accordance with the provisions of art. 220 of the Italian Civil Code or according to the terms established for the ordinary prescription of rights. The personal data of subjects registered on the website will be kept as long as the interest of the subject persists. In order to ensure the correctness of the data and the persistence of the user’s interest, FourStars will send a reminder email to users who have been inactive for 10 years.

Who to contact and how?
Without prejudice to the right to lodge a complaint with the Guarantor Authority or to refer to the competent Judicial Authority, at any time, if the prerequisites are fulfilled, the user can exercise the rights provided by the EU Reg. 2016/679 by contacting the Data Controller or the Data Protection Officer, at the email address privacy@4stars.it
To allow the Owner to quickly take charge of the request, please indicate in the subject "EXERCISE OF GDPR FOURSTARS RIGHTS" and specify in the text:

• what right it intends to exercise;
• what is the service as object of the request;
• which are the data object of the request.

In case of unclear information, the Owner may need to contact the user again. How soon does the owner have to respond?
The deadline for responding to the user's request is, for all rights (including the right of access), 1 month, extendable up to 3 months in cases of particular complexity (determined according to the judgment of the Owner). The holder must in any case give a reply to the interested party within 1 month of the request, even in the case of refusal.

Rights of the person concerned

• Right of access (Article 15 of the EU Reg.2016/679). Right of the person concerned to obtain access to his own data and to file a complaint with the supervisory authority;
• Right of amendment (Article 16 of the EU Reg. 2016/679). Right of the person concerned to obtain the amendment of wrong personal data concerning him from the Data Controller;
• Right to cancellation (oblivion right) (Article 17 EU Reg. 2016/679). The person concerned has the right to obtain the cancellation of his personal data from the Data Controller without unjustified delay;
• Right to limitation of processing (Article 18 of the EU Reg.2016/679). Right of the person concerned to obtain a limitation of data processing;
• Right to data portability (Article 20 of the EU Reg.2016/679). The person concerned has the right to receive personal data concerning him/her provided by the Data Controller and has the right to transmit such data to another data controller without impediment by the first one;
• Right of opposition (Article 21 EU Reg. 2016/679). Right of the person concerned to oppose to the processing of his personal data;
• Profiling (Article 22 of the EU Reg. 2016/679). The person concerned has the right to not be subjected to a decision based only on automated processing, including profiling or other procedures which affect his/her person.

Can FourStars be appointed by the Client Company as Data Processor, with reference to the Company’s and the Trainee’s data?
No, as the Data Processor treats the data on behalf and on precise instructions of the Company, hence, not applicable to the present case. FourStars, in fact, has the same autonomy granted to an Employment center or to an employment agency. The fact that FourStars is a private company and that a service contract exists between the parties does not necessarily imply a Data Controller-Data Processor relationship pursuant to art. 28 of EU Regulation 2016/679.

Can FourStars accept privacy documents or IT security documents from Client Companies?
Due to the particular activity carried out, the Client Companies are often required to comply with a series of particularly rigorous models, policies, and standards, which are also extended to their suppliers. As part of a loyal and fruitful collaboration, FourStars is happy to share the standards adopted by its client companies, as long as it is compatible with the corporate purpose and service, offered by FourStars.

What are cookies?
Cookies are the information entered onto the browser when the user visits a website or uses a social network with his/her PC, smartphone or tablet. Each cookie contains various data such as, for example, the name of the server from which it comes, a numeric identifier, etc. Cookies can remain in the system for the duration of a session (i.e. until the browser used to browse the web is closed) or for longer periods and may contain a unique identification code. Cookies can be divided into different categories based on their characteristics and uses:

• Strictly necessary cookies. These cookies are essential for the proper functioning of our site and are used to manage the login and access to the reserved functions of the site and to speed up, improve or customize the level of service for the users. The duration of the cookies is strictly connected to the working session and are deleted by closing the browser, or long-running, if aimed at recognizing the visitor's computer. Their deactivation may compromise the use of services accessible by login, while the open part of the site remains accessible;
• Analysis and performance cookies. These cookies are used to collect and analyze web traffic and the anonymous use of the site. These cookies, even without identifying the user, allow, for example, the detection of the same user logging in at different times. They also check and improve the performance and usability of the system. The deactivation of these cookies can be done without the loss of any features;
• Profiling cookies. These are permanent cookies used to identify (anonymously or not) user preferences and improve their browsing experience, in order to send advertising messages in line with the preferences expressed by the user itself while surfing the net;
• hird-party cookies. These are cookies, usually used for profiling purposes, coming from other sites and contained in various elements hosted on the page itself, such as advertising banners, images, videos, etc. This type of cookie can be read by other parties, other than those who manage the web pages you visit.

Which cookies are present on this website?
This site uses:

• Cookies linked to the platform, belonging to the category of technical cookies, necessary to manage login and access to the site's reserved functions. These cookies do not require user consent.
• Google Analytics analysis cookies, necessary to collect and analyze site traffic and to allow aggregate statistical analysis regarding the use of the website visited and the use of the site. The installed version (Google Analytics 4), do not store the IP address and it has been configured in order to avoid collecting data that could potentially identify users; therefore, user agreement is not required.
• Advertising cookies (re marketing, segmentation and targeting) of Facebook, belonging to the category of third-party cookies. This is a web analysis service provided by Facebook that uses analytical cookies that are installed on the user's computer to perform aggregate statistical analysis on the use of the website visited, as well as to allow visitors to profile the Sites (which are identified by the "detection cookies") based on the information contained in their "advertising cookies", which concern three categories: age group, sex, marketing segments. On the web page https://it-it.facebook.com/privacy/explanation you can find more information about the Facebook service. On the page you can find additional information about advertising Cookies, necessary to identify (anonymously) user preferences and improve the browsing experience, in order to send advertising messages in line with the preferences shown by the user while surfing the net and information about timing of user data conservation. For this type of cookie, user consent is required that accept the condition through the informative banner.

Cookies management
The user can decide whether or not to accept cookies, using, at first access, the appropriate banner.
The user is invited to make the choice again only in the event that the conditions of the Policy & Privacy are modified. In the case of the user changes his mind after having given his consent through the banner, he can still manage cookies from the settings of his browser.
Attention: the total or partial disabling of technical cookies could compromise the use of site features reserved for registered users. On the other hand, the usability of public content is also possible by completely disabling the cookies. The disabling of "third-party" cookies does not affect the usability of the website in any way. The setting can be defined specifically for different websites and web applications. In addition, the best browsers allow you to define different settings for cookies "owners" and "third parties" cookies.

• Block third-party cookies, through specific functions of the browser.
• Activate the Do Not Track option (present in most of the latest generation browsers).
• Activate the “anonymous browsing” mode, which allows to navigate without leaving trace of the browsing data in the browser. The sites will not remember the user, the pages visited will not be stored in history, and the new cookies will be deleted. However, this function does not guarantee anonymity on the internet as the navigation data will continue to remain available to website managers and connectivity providers.
• Delete cookies directly through specific browser functions. Everytime you connect to the internet new cookies are downloaded, so the deletion operation should be performed periodically.

For example, with Google Chrome click on the wrench icon in the upper right corner and select “Settings”. At this point select 'Show advanced settings' and change the Privacy settings.

Chrome: https://support.google.com/chrome/answer/95647?hl=it
Firefox: https://support.mozilla.org/it/kb/Gestione%20dei%20cookie
Internet Explorer: https://support.microsoft.com/it-it/help/17479/windows-internet-explorer-11-change-security-privacy-settings
Opera: http://help.opera.com/Windows/10.00/it/cookies.html
Safari: http://support.apple.com/kb/HT1677?viewlocale=it_IT

To find out more about cookies:
http://www.allaboutcookies.org
http://www.networkadvertising.org/choices/
http://www.youronlinechoices.com/it/
https://tools.google.com/dlpage/gaoptout
http://www.aboutads.info/choices