INFORMATION REGARDING THE PROTECTION OF PERSONAL DATA PURSUANT TO REGULATION (EU) 2016/679 (“GDPR” FOR SUPPLIERS)
- DATA CONTROLLER, CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA PROCESSED
1.1. The Data Controllers are: a) FPZ S.p.A. registered office in Via F.lli Cervi, 16, 20863 Concorezzo (MB) VAT No./Tax Code 05933070962 b) ARIVENT ITALIANA S.r.l. registered office in Via Napoli 45, 20813 Bovisio Masciago (MB) VAT No./Tax Code 00748610961 c) DOSEURO S.r.l. registered office in Via Carducci 141 -20093 Cologno Monzese (MI), VAT No./Tax Code 00852970961 (hereinafter the “Data Controller” or the “Data Controllers”), and they provide some information in relation to the processing of personal data performed within the sphere of the relationship, existing or prospective, with your Company, in the role of Supplier or prospective Supplier of one or more Companies stated above (hereinafter the “Services”). 1.2. Specifically, the information herein concerns data relating to the following parties: (i) Suppliers and prospective suppliers as natural persons; (ii) natural persons acting in the name and/or on behalf of suppliers and prospective suppliers (including, for example, pro tempore legal representatives, agents, contact persons, etc.); (hereinafter, collectively, the “Data Subjects” and, individually, the “Data Subject”). 1.3. The following common personal data may be processed, depending on the Data Subjects: personal details, business place address, contact details, including electronic addresses, tax code, VAT number, accounting data, bank details in addition to other personal data, if any, of parties that, within your organisation, perform specific activities [Technical Manager, Quality Manager, Production Manager, etc, ] (hereinafter, the “Personal Data”).
2. PURPOSES AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
(Why does the Data Controller collect Personal Data?)
(Why can/must the Data Controller keep Personal Data?)
|1)||a) Implementation of pre-contractual activities – management and implementation of the contract and therefore of the consequent commercial relationship, provision of the Services (and related assistance), compliance with the related administrative, accounting and organisational/management obligations (including|
Performance of pre-contractual measures adopted upon the request of the Data Subject or of a contract to which the Data Subject is a party.
FPZ SpA | Via F.lli Cervi, 16 | 20863 Concorezzo (MB) | Italia T. +39 039 690981 | firstname.lastname@example.org | www.fpz.com C.F. 05933070962 | P.IVA IT05933070962 Capitale Sociale € 600.000,00 i.v. | C.C.I.A.A. n°REA MB1853416
the preparation of master data lists, the development of new offers, provision of Services, payments, notifications relating, for example, to the planning of deliveries or any changes and more generally to the respective practical issues, etc.).
|Performance of pre-contractual measures adopted upon the request of the Data Subject or of a contract to which the Data Subject is a party.|
|2)||b) Compliance with a legal obligation related to civil, tax and administrative provisions, EU legislation, rules, codes or procedures approved by authorities and other institutions concerned, as well as compliance with requests from the administrative or judicial authority involved and, more generally, from public entities in compliance with legal provisions.||Compliance with a legal obligation applicable to each Data Controller.|
|3)||c) Enforcement and protection of its rights, including through out-of-court initiatives and also via third parties, as well as prevention, identification and dissuasion of fraudulent, dangerous, unauthorised or illegal activities and crimes (such as, for example, fraud, identity theft, etc.).||Pursuit of the legitimate interest of the Data Controller.|
|4)||d) To conduct a verification assessment (of existing suppliers) or a preventive verification to the end of evaluating a prospective collaboration (if not a supplier yet) by means of dedicated questionnaires.||Legitimate interest of the Data Controller to conduct verifications, at regular intervals, regarding the reliability of suppliers already rostered and on prospective suppliers,|
3. PROVISION OF THE REQUESTED DATA AND CONSEQUENCES OF NON-PROVISION
3.1. Personal Data must be provided in order to achieve the purposes set out in par. 2a) and 2b), “Purposes and legal basis for processing Personal Data”. Therefore, if such data are not provided – or provided in part – the activity requested by the Data Subjects cannot be performed, the contractual relationship cannot be finalised and the obligations related to the operational, economic and administrative performance of the Services cannot be fulfilled.
4. PROCESSING Personal Data will be processed by means of manual and computer tools exclusively by authorised and specially trained parties.
5. RECIPIENTS/CATEGORIES OF RECIPIENTS OF PERSONAL DATA
5.1. Personal Data may be disclosed to/known by:
– the Data Controller’s staff authorised to process (employees and associates);
– third parties providing services to Data Controllers – Web, e-mail marketing, accounting, administrative, legal, insurance, banking services – who perform part of the processing activities and/or tasks connected to and aimed at the latter on behalf of the Data Controller by virtue of an agreement with the latter;
– third-party companies and professionals appointed to enforce rights, interests, claims arising from the execution of Services or in any event from relations with the Data Subjects;
– State Administrations, judicial or administrative Authorities, public and private Entities, also subsequent to inspections and verifications;
– parties who can access the data under the provisions of the law or secondary or European community legislation.
5.2. Such recipients will act, where appropriate, as data processors. Only the category of the recipients is indicated, as it is continuously updated. In order to obtain the updated list of recipients, the Data Subjects can contact the Data Controller directly, by writing to the addresses stated in par.
6. PERSONAL DATA RETENTION PERIODS
6.1. The Personal Data will be stored by the Data Controller for the time strictly necessary for the purpose (indicated in paragraph 2 “Purposes and legal basis for processing Personal Data”) for which they were collected, and specifically:
➢ for the purpose stated in par. 2a): at least for the entire duration of the commercial relationship or provision of the Services or in any event for the time necessary to perform further activities/services in favour of the Data Controller/Controllers and, in any event, for a period not exceeding 10 years from the termination of the relationship whereby the Data Controller receives products and/or services from the Data Subjects;
➢ for the purpose indicated in par. 2b): Personal Data whose processing is necessary by virtue of legal obligations, for the entire duration envisaged by law;
➢ for the purpose illustrated in par. 2d): – if already a supplier of one or more Data Controllers for the entire duration of the commercial relationship or provision of the Services or in any event for the time necessary to perform further activities/services in favour of the Data Controller/Controllers and, in any event, for a period not exceeding 10 years from the termination of the relationship governing the supply of products and/or services – if a prospective supplier for a maximum period of 12 months
In all events, once the respective terms have elapsed, all Personal Data will be deleted. The terms indicated may be extended in cases where the Personal Data are relevant in relation to pending or foreseeable litigations, due to requests from the authorities concerned or pursuant to applicable legislation.
7. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR TO AN INTERNATIONAL ORGANISATION
As a rule, Personal Data are not transferred to Third Countries. Should this become necessary for compliance with the purposes indicated in par. 2, the Personal Data will be transferred in compliance with the provisions of law in force and through the application of adequate safeguards.
The Data Subjects, as applicable, may at any time and free of charge exercise the following rights towards the Data Controller: • Right of access: the Data Subjects can obtain from the Data Controller confirmation as to whether or not Personal Data concerning them are being processed and, in this case, obtain access to their personal data; • Right to rectification: the Data Subjects can obtain the rectification/integration of inaccurate/incomplete Personal Data; • Right to erasure: the Data Subjects can obtain, in cases stated in the regulation, the erasure of their Personal Data; • Right to restriction of processing: the Data Subjects can obtain, in cases stated in the regulation, restriction on the processing of Personal Data (the muting of stored personal data with the aim of limiting their processing in the future). • Right to data portability: the Data Subjects can – if data are processed by automated means based on consent or a contract – receive the personal data concerning them which they have provided to the Controller/Controllers, in a structured, commonly used and machine-readable format, and transmit those data to another controller. Furthermore, the Data Subjects have the right: – to object to the processing of Personal Data for the purposes indicated in par. 2c), “Purposes and legal basis for processing Personal Data”, for reasons, to be specified, connected to their particular situation; – in relation to the processing of their data for the purpose indicated in par. 2d) “Purposes and legal basis for processing Personal Data”, therefore for the management of promotional contacts, to object at any time and without giving any reason or, in the event the treatment is consent based, to revoke said consent at any moment in time, in the following ways: by clicking on the appropriate link at the bottom of each newsletter received in order to unsubscribe from the mailing list or, as regards the other means of communication, by contacting the Data Controller at the addresses indicated in par. 9; – finally, if it is deemed that the processing of their Personal Data breaches the provisions of the GDPR, to lodge a complaint with the National Supervisory Authority of the member state of the European Union where the Data Subjects have their habitual residence or place of work or where the alleged violation of their right has occurred (if that State is Italy, the entity which can be contacted is the Authority for the Protection of Personal Data (Autorità Garante per la Protezione dei Dati Personali) or to seek effective judicial remedy (art. 79 GDPR).
In order to exercise any rights or request information, the Data Subject may contact the Data Controller towards which it exercises the role of supplier or prospective supplier:
– FPZ S.p.A. by post to the address: Via F.lli Cervi 16 20863 Concorezzo (MB) by e-mail to: email@example.com
– ARIVENT ITALIANA S.r.l. by post to the address: Via Napoli 45, 20813 Bovisio Masciago (MB) by e-mail to: firstname.lastname@example.org
– DOSEURO S.r.l. by post to the address: Via Carducci 141 -20093 Cologno Monzese (MI) by e-mail to: email@example.com