In this regard, the Company is required to provide you some information about the methods and purposes of the processing of personal data concerning you, being the Company able to come into possession of some of them during the pre-contractual negotiations as well the training activities and the performance of the contractual relationships with you, in place and / or that may be established, concerning the purchase and / or sale of goods, products and / or the supply of services (hereinafter referred to as “Contract” or ”Purchase Order”).
Data Controller and Data Processors
The Data Controller is the person who determines the purposes for which and the manner in which personal data are to be processed (the ‘Data Controller’) and is identified in the Company, in the person Roberto Cocchi pro tempore.
The Data Controller may be contacted by e-mail at the following address firstname.lastname@example.org
Personal data may be processed on behalf of the Data Controller by another person appointed by the Data Controller, the ‘Data Processor’.
If you require more information on the updated list of our Data Processors, you may send a written request to the above mentioned Data Controller address.
Categories of data subject to Processing
The Data Controller processes personal, identification and non-sensitive data (i.e. name, surname, tax identification code, VAT Number, email address, telephone number, etc.) – hereafter referred to as ‘data’ – reported by you during the pre-contractual negotiations, the signature of the Contract and until its termination for any reason.
The data collection may be also carried out following the consultation of public registers, lists, deeds or documents that might be known by anyone within the terms and conditions set out by the rules on their availability.
Purposes of the processing
Your data will be processed without your consent (art. 24 a, b, c Privacy Code and art. 6 b and e GDPR) for the following purposes:
- Provide you the information requested;
- Comply with the preliminary requirements for the performance of the Contract for the sale / purchase of goods and / or services of the Data Controller;
- carry out the management of administration, accounting, orders, shipping, invoicing, services;
- comply with the pre-contractual, contractual and fiscal obligations deriving from the outstanding relationships with you;
- comply with the obligations required by law, rules, EU regulations or authorities (i.e. anti-money laundering);
- exercise the Data Controller’s rights (e.g. the right to legal defense in the event of non-fulfilment of contractual obligations).
- We also inform you that if you are already one of our customers, we may send with your consent promotional communications relating to the data controller’s services and products similar to those you have already used, (art. 130, clause 4 Privacy Code).
If the data controller intends to process your data for purposes other than those described in the paragraph above, you will be informed in advance.
Lawfulness of Processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 paragraph 1 letter a) and art. 9 par. 2 lett. a) EU Reg. 679/2016);
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6 paragraph 1 letter b) EU Reg. 679/2016);
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (Article 6 paragraph 1 letter f) Reg. EU 679/2016).
Reason for the personal data provision
The provision of data for the abovementioned purposes is mandatory, insofar as it is requested for the fulfilment of legal and contractual obligations. Any refusal to provide them or any subsequent lack of authorisation for their Processing may cause the inability of the Data Controller Owner to implement the same contractual relationships.
Modalities to process personal data
Processing will be carried out in an automated and / or manual manner, using methods and tools in compliance with the security measures under art. 32 of the GDPR and Annex B of the Privacy Code (articles 33-36 of the Code), by specifically appointed persons, in compliance with the provisions of art. 29 GDPR, in order to pursue only the purposes for which the data were collected and, in any case, to guarantee their security and confidentiality.
We also inform you that the Company processes your personal data in full compliance with the principles of fairness, lawfulness and transparency.
Communication of data
Access may be granted for the purposes described in clause “Purpose of processing”:
- to the data controller’s employees and associates in charge and/or internal Processors and/or to system administrators;
- to banks, couriers, external professionals and consultants (e.g. tax consultants, attorneys, payroll consultants, agents, IT services, shipments, auditing firms) for the sole purpose of protecting credit and managing individual business relationships – to be compliant with applicable laws or for functional reasons necessary for the performance of the contract – performing outsourced operations on behalf of the data controller as independent external operators or processors appointed by the data controller.
- Without your consent (art. 24 a), b), d), Privacy Code and art. 6 b) and c) GDPR) the data controller may communicate your data for the purposes described in clause “Purpose of processing” to supervisory bodies, judicial authorities and all other subjects (Labour Inspectorate, ASL, Social Security Funds, ENASARCO, Chamber of Commerce) which by law require such communication in order to achieve these purposes.
These subjects will hold data as independent data controllers.
Data transfer to a third Country or to an international organisation
Personal data are to be processed within the European Union and stored on servers located in that area. Anyway, if necessary, the Data Controller will have the right to transmit such data to a third country or to an international organisation and / or to move the servers even outside the EU. In this case, the Data Controller ensures that the transfer of non-EU data will be carried out in accordance with the applicable legal provisions under art. 44 of the Privacy Code and art. 46 and following of the GDPR.
Policy concerning the retention of personal data
The Company will retain in its systems your personal data acquired for a period of time not exceeding the termination of the abovementioned purposes to the duration of the contractual relationship to which it relates.
However, in compliance with the principle of processing limitation and minimisation of data collection, the Company will reserve the right to keep your data in any case no later than ten years from the expiry date of the last Contract / Purchase Order signed by the parties.
Data subject’s right
Finally, the Company informs you that, pursuant to art. 7 of the Privacy Code and articles 15-22 of the GDPR, you, in relation to your personal data, as Data Subject may exercise specific rights at any time, by contacting the Data Controller, such as:
Right to access: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data concerning the origin, purpose, category of data processed, recipients of communication and / or data transfer, retention period of personal data or the criteria used to determine this period;
Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into
account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement;
Right to erasure: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR (personal data processed for direct promotional purposes).
Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing, including profiling, if interest, rights and fundamental rights of the Data Subject prevail over the legitimate interest of the Data Controller, if it is carried out for direct marketing purposes and if the personal data are processed for scientific or historical research purposes or for statistical purposes;
Right to limit the processing: The data subject shall have the right to obtain from the Controller the limitation of Processing, in cases where the accuracy of personal data is contested (for the period necessary to the Data Controller to verify the accuracy of such personal data), if the Processing is illicit and / or the Data Subject has opposed to the processing requesting its limitation;
Right to data portability: The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent and the processing is carried out by automated means;
Right to withdraw consent: if the Processing is based on your explicit consent, you have the right at any time to withdraw the previously given consent without prejudice to the lawfulness of the processing carried out upon your consent legitimately given before the revocation;
Right to lodge a complaint with a supervisory authority: in case of a breach of the Privacy Law, as a data subject, he has the right to lodge a complaint with the supervisory authority of the member state in which he resides or habitually works, or the state in which the supposed violation has occurred, without prejudice to any other administrative or judicial appeal.
If you need further information on the processing of your personal data and to exercise the abovementioned rights, you can send a written request using the contacts provided in the ‘Data Controller’ section of this statement.
If you request more information about your data, the data controller shall respond promptly – unless this proves impossible or involves a manifestly disproportionate effort compared with the right to be protected – and in any case no later than thirty days from the request. The data controller will justify any inability or delay in doing so to meet the request.
Automated decision-making processes
The data subject shall have the right not to be subject to a decision based solely on automated processing.