Privacy Policy

PRIVACY POLICY

Pursuant to Article 13 of EU Regulation 2016/679 (GDPR) and Legislative Decree 196/2003 as subsequently amended.

This Privacy Policy describes in a transparent and detailed manner how MAASI Enterprises SRL collects, uses, stores, and protects the personal data of website visitors, job applicants, and users of our digital self-assessment tools (Self-Assessment).

Last update: 5 June 2026.

1. Joint Controllers of the Processing and Joint Controller Agreement (Art. 26 GDPR)

Your personal data is processed under a Joint Controller arrangement, pursuant to Article 26 of the GDPR, by the following companies:
  • MAASI Enterprises SRL, with registered office at Via Agostino Bassi 5, 56121 Pisa, Italy, Fiscal Code and VAT Number IT02381350509, email: eu.privacy@maasi.enterprises (hereinafter referred to as “MAASI Italia”).
  • MAASI Enterprises Ltd, with registered office at 124 City Road, London, EC1V 2NX, United Kingdom, company registration number 08621900, VAT Number GB328514208, email: uk.privacy@maasi.enterprises (hereinafter referred to as “MAASI UK”).
The companies have stipulated a formal Joint Controller Agreement to transparently divide their respective responsibilities regarding the fulfilment of obligations arising from the GDPR. Based on this agreement, MAASI Italia has been designated as the primary point of contact for all data subjects residing in the European Union for the exercise of the rights provided by the GDPR, without prejudice to the data subject’s ability to exercise their rights against each Joint Controller. The Joint Controllers jointly manage the technological infrastructure, including Google Cloud and Google Workspace, as well as the commercial contacts database.

2. Types of Data, Purposes of Processing, and Legal Bases

MAASI processes your personal data according to the principles of lawfulness, fairness, transparency, and data minimisation, for the following purposes:
Type of Personal Data Purpose of Processing Legal Basis for Processing
Contact Data (“Contact Us” Form): name, email address, job role, company name. Responding to technical or commercial requests for information and formulating customised service proposals. Performance of pre-contractual measures adopted at the request of the data subject pursuant to Article 6(1)(b) of the GDPR.
Candidate Data (“Work with Us” Form): first name, surname, email, telephone, personal and professional data contained in the CV and interview notes. Evaluation of the professional profile for the purpose of integration into the company workforce for specific open positions. Performance of pre-contractual measures pursuant to Article 6(1)(b) of the GDPR and Article 111-bis of Legislative Decree 196/2003 (consent is not required).
Data for the “Talent Pool” (HR Database): CVs, cover letters, and contact details of candidates not selected for active positions. Retention of the professional profile for future hiring opportunities consistent with the candidate’s skills. Explicit, free, and informed consent of the data subject pursuant to Article 6(1)(a) of the GDPR.
Data for the Self-Assessment Tool: name, email, telephone, job role, company name, and answers provided in the test. Provision of the requested service, calculation of the preparation score (“readiness score”), and eventual sending of the relative certificate via email. Performance of a contractual or pre-contractual service requested by the data subject pursuant to Article 6(1)(b) of the GDPR.
Data for Direct Marketing (Sales & Leads): name, email, telephone number, job role, and company name. Sending named commercial communications, promotional newsletters, consulting service proposals, and invitations to company events. Explicit consent of the data subject pursuant to Article 6(1)(a) of the GDPR. The application of “soft-spam” is excluded for subjects who have not completed a purchase.
Navigation and Cookie Data: IP address (masked), pages visited, navigation data collected via Google Analytics. Monitoring website operation, aggregated statistical analysis, and commercial profiling. For technical cookies: legitimate interest (Art. 6(1)(f) GDPR); for analytical and profiling cookies: express consent via cookie banner (Art. 6(1)(a) GDPR).

3. Recipients of Data and International Data Transfers

Your personal data will not be sold, transferred, or distributed to third parties outside of MAASI. Data may only be disclosed to:
  • Controlled, affiliated, or common group companies, specifically MAASI Enterprises Ltd in the United Kingdom, for internal management purposes connected to the Joint Controller agreement.
  • External providers of cloud and application services appointed as Data Processors pursuant to Article 28 of the GDPR, including Google LLC for Google Workspace and Google Cloud services.

International Data Transfers

Data storage and processing occur on Google servers located within the European Union and the United States of America. The transfer of personal data to Google in the United States is legitimised by Google LLC’s active adherence to the EU-U.S. Data Privacy Framework (DPF), which guarantees a level of protection equivalent to the European level pursuant to Article 45 of the GDPR. Data flows to the United Kingdom (MAASI UK) are covered by the Adequacy Decision adopted by the European Commission on 19 December 2025, which guarantees the continuity of information flows without the need for further contractual safeguards.

4. Data Retention Periods

Personal data will be kept only for the time strictly necessary to achieve the purposes for which they were collected, in compliance with the principle of storage limitation under Article 5(1)(e) GDPR.
  • Contact Requests: data will be stored for 24 months from collection, to ensure proper management of the preliminary commercial relationship.
  • Spontaneous applications or applications for open positions (without inclusion in the Talent Pool): personal data contained in the CV will be deleted immediately at the end of the selection process for the specific profile.
  • Talent Pool Database (subject to prior consent): data will be stored for a maximum period of 12 months from the date consent was given, after which they will be definitively and irreversibly deleted.
  • Self-Assessment Tool: data entered exclusively for the performance of the test will be stored for a maximum of 30 days from the sending of the final report, unless separate consent is given for marketing purposes.
  • Direct Marketing: data will be processed for a maximum period of 24 months from collection or until consent is revoked (opt-out), which can be exercised at any time via the link present in every email.

5. Data Subject Rights

As a data subject, you have the right to exercise the rights established by Articles 15, 16, 17, 18, 20, and 21 of the GDPR at any time:
  • Right of Access: obtain confirmation of data processing and receive a copy, including evaluation notes prepared by HR.
  • Right to Rectification: obtain the updating or correction of inaccurate data.
  • Right to Erasure (“Right to be Forgotten”): request the deletion of your data if they are no longer necessary for the stated purposes.
  • Right to Restriction: request the suspension of processing in case of disputes.
  • Right to Data Portability: receive data in a structured, commonly used, and machine-readable format.
  • Right to Object: object at any time to processing for direct marketing purposes.
Requests can be submitted informally by writing to: privacy@maasi.enterprises. Should you believe that the processing violates the current provisions, you have the right to lodge a formal complaint with the Italian Data Protection Authority: www.garanteprivacy.it.