1. Types of personal data
The data provided by You and concerning the personnel assigned to the performance and management of the agreements with the Company, including name, surname, contact data, e-mail address, positions where relevant; data related to the payroll and any social, pension and/or insurance contribution duly payments with reference to Your personnel who is assigned to the performance of services in the Company’s premises (if such data are necessary for verifying the compliance with laws aimed at safeguarding personnel used for the performance if the activities under the agreements); data concerning Your legal representatives, including their judicial data, if required by the law (hereinafter the “Data Subjects”) - either where such data have been provided by You directly or if obtained by public sources (for example by the Companies House) – will be processed by the Company in accordance with the Regulation and with local laws, including possible decisions issued by the Supervisory Authority, if applicable.
In case of suppliers who are natural persons, in addition to the data described above, the Company may process also data related to invoicing and payments (included tax code and VAT number), bank data, registration in specific bars or registers, economic and financial data (such as the financial report).
2. Purposes of the processing
The Company will process the data of the Data Subjects within the performance of its own commercial and financial activities for the purpose of selection, entering into, management and performance of the contractual relationships (including scouting activities prior to entering into a contract and/or the registration into the Company’s suppliers list). In particular, the data shall be processed in order to comply with legal obligations (for example, tax and accounting obligations, obligations arising from contract work and health and safety rules at work); for the registration of suppliers into the Company’s Management System (suppliers' list); for the administrative management of the contracts, including the management of payments and invoices; for the compliance with obligation related to the supply of goods and services, as well as for managing possible litigation, for internal control purposes (safety, productivity, quality of the services, preservation of financial integrity), for certification purposes. The data of Data Subjects may also be processed for periodical evaluation of the existence of the ethical and legal requirements established by the Company’s Code of Ethics and to perform audit, also inside Your premises, on quality, process, products or sustainability. For the above-mentioned purposes, your consent is not required since the Company is authorized to avail itself of the reliefs available under letter b), c) of article 6.1, of the Regulation.
In case of individual suppliers, as regards the processing of economic and financial data, such as commercial information and financial report, the Company is authorized to avail itself of the relief available under letter f) of article 6.1, of the Regulation (legitimate interests of the Company to verify the economic and financial solidity of its business partners).
The data shall be processed by the Company, and by its entrusted personnel by the Company, generally by the Purchasing department and by the Administration & Finance department, as well as by other staff employees who could have the need to process them, by means of electronic or manual systems and according to the principles of fairness, integrity and transparency that are required by applicable laws on data protection as well as by preserving the privacy of the concerned persons through the implementation of technical and organizational measures ensuring an adequate safety level (including, without limitation, by preventing access by unauthorized persons -unless such access is required by the applicable laws- or by ensuring restoration of access to data after material or technical accidents).
3. Storage of data
The data shall be stored in compliance with the applicable regulations on protection of personal data for the time that is necessary to comply with the above mentioned purposes. In particular, personal data will be stored by Company for the whole duration of the contractual relationship and also after its termination, in compliance with applicable laws (including, without limitation, the obligation to keep the invoices and other company documents for at least 10 years).
In any case, personal data will be stored no longer than 10 years after the termination of the contractual relationship, and/or 2 years for Marketing finalities (the latter only of authorized)
4. Disclosure, dissemination and transfer of data
Without prejudice to the duty of disclosure in order to fulfil any legal or contractual obligations, the data may be disclosed to tax or legal consultants, to Company’s collaborators, to the banks, to public entities as well as to those persons that are authorized by the laws to receive such data, if required, to Italian or foreign judicial or other public authorities for the fulfilment of legal obligations, or for the performance of the obligations arising from an agreement, including for the purposes of defence before the Courts. Such entities act as independent data controllers.
Contact details may also be disclosed occasionally and for single reasons, to other customers and/or suppliers of the Company, including –without limitation - if it becomes necessary to collaborate with any of such persons for the performance of the contractual obligation.
In order to perform certain services implying the need of personal data processing, the Company may also avail of third parties, particularly, among the others, it avails of A.W.S. Corporation S.R.L. in respect of all accounting and financial services, for managing of agreements, for video surveillance, and IT services, as well as of sub-processors of the latter, including, without limitation, the service of substitutive filing or maintenance on the IT systems in which data are processed. These companies shall operate as external data processors in compliance with specific and adequate directions concerning the processing methods and safety measures as specified in specific contractual documents. The full and updated list of the companies acting as processors is available on request to the contacts mentioned below.
The data may be disclosed outside the European Union.
Personal data shall not be disseminated.
5. Rights of Data Subjects
A Data Subject shall have the rights contemplated in the Regulation (articles from 15-21) in respect of the processing of data contemplated thereto, including the right to:
- Obtain confirmation of the existence of personal data concerning him/her and to gain access to them (right of access);
- Obtain the updating, modification and/or rectification of its personal data (right of rectification);
- Obtain erasure, or to set limits to processing, of personal data whose processing is unlawful, including those that are no longer necessary in relation to the purposes for which they were collected or otherwise processed (right to be forgotten and right to the restriction of processing);
- Object to processing (right to object);
- Withdraw previously given consent, if any, without prejudice to the lawfulness of processing based on that consent;
- Receive a copy in electronic form of the data concerning him or her, which have been provided to a controller in the framework of an agreement and to have such data transmitted to another controller (right to data portability).