1. RISKS Failing to provide privacy information to individual clients or individuals belonging to client organizations in any capacity exposes our company to the potential risk of penalties.
2. PURPOSE Describe the rules governing the collection and processing of personal data and documents related to customers and suppliers.
3. SCOPE This policy applies to all customers and suppliers.
4. ACTIVITY REGULATION Privacy notice pursuant to Art. 13 D. Lgs. 196/2003, Arts. 12.1, 13, and 14 EU Privacy Regulation 679/2016, known as GDPR.
We inform you that your personal data, already acquired or to be acquired by the Data Controller as better indicated below, will be processed in compliance with legal requirements and the rights recognized to you by law as "data subjects," in the event that your organization is an individual or sole proprietorship.
If your organization is not an individual or a sole proprietorship (for example, a corporation), the information referring to it, although not qualifying as "personal data" according to and for the purposes of privacy regulations, is still equated to personal data under applicable rules, only when such data is processed for potential loyalty, profiling, or direct marketing purposes (usually never related to our suppliers) for some limited purposes, particularly related to the obligation to provide the information pursuant to Art. 13 D. Lgs. 196/2003 and collecting prior consent to processing.
This information is communicated to the data subject also to allow them to adequately inform their staff about the purposes and methods of processing performed by the data controller.
From May 25, 2018, the Data Controller will not be bound by this information, if and to the extent that the data subject already has the personal data that the Data Controller collects and processes as above. Therefore, the information will only apply to personal data not already available to the data subject (e.g., personal data resulting from processing operations carried out by the Data Controller after collection based on the data the data subject already had).
A) Categories of processing operations The processing will include operations of: collection by phone or electronically or in writing or from public registers, lists, acts, and documents and/or public and/or private databases (commercial information companies), registration, organization, storage, and processing on paper, magnetic, automated or electronic means, processing of data collected from third parties, modification, selection, extraction, comparison, use, interconnection with data from other subjects based on qualitative, quantitative, and timely criteria, recurring or definable from time to time, temporary processing aimed at rapid aggregation or transformation of the data, adoption of decisions in an automated and/or discretionary form, profile and report creation, communication, data deletion and destruction, or combinations of two or more of the aforementioned operations.
B) Purpose of processing The aforementioned processing and communication will have the following purposes:
- 1) Meeting pre-contractual needs (e.g., processing offers or your orders, solvency checks);
- 2) Fulfilling contractual (supply or purchase of goods and/or services) and legal obligations (e.g., accounting, tax formalities, administrative and accounting management and treasury);
- 3) Customer and supplier management for aspects other than those in 1-2;
- 4) Management of assignments and risk control (fraud, insolvencies, etc.);
- 5) Dispute management and credit assignment;
- 6) Financial services instrumental to the management of customers/suppliers and management of electronic payment instruments;
- 7) Insurance services instrumental to customer/supplier management. We do not foresee any processing for loyalty, profiling, or direct marketing purposes related to data referring to our suppliers.
C) Legal basis for processing The legal basis for processing is, depending on the circumstances, Article 6, letter a), of EU Regulation No. 45/2016 (the data subject has given their free and informed consent to the processing and has not subsequently revoked it), Article 6, letter b), of the said regulation (it is necessary for the execution of a contract to which the data subject is a party or for the execution of pre-contractual measures taken at the request of the same, e.g., requests to send information or commercial offers), Article 6, letter c) of the said regulation (it is necessary to fulfill a legal obligation to which the data controller is subject) and/or Article 6, letter f), of the said regulation (it is necessary for the pursuit of a legitimate interest of the data controller or third parties, prevailing over the interests or rights and fundamental freedoms of the data subject). Specifically, according to Art. 13 paragraph 1 letter d) of the regulation, a) the legitimate interest of the data controller is to be able to process the data to effectively and efficiently manage the relationship with its customers and/or suppliers and to organize the related internal organizational and management processes (including relationships with any sub-suppliers) and ii), in the case of processing for profiling, direct marketing, and loyalty purposes, to promote its products and/or services to the target customer base using offline and online methods, b) the legitimate interest of third parties is to receive from the Data Controller and process personal data to verify the correct fulfillment of legal and contractual obligations towards the data subject or third parties (e.g., verification by the public authority regarding the fulfillment of tax obligations, verification by the board of statutory auditors or auditors regarding the fulfillment of legal obligations, etc.) or to receive from the Data Controller and process personal data to be able to manage activities.
D) Data communication Without prejudice to communication to third parties carried out in compliance with legal obligations or regulations or other community legislation, the data will be communicated by us, not abroad, to the following categories of recipients: 1) banks and credit institutions, for making payments; 2) insurance companies; 3) debt recovery and/or transfer companies; 4) commercial information companies; 5) consultants and professionals; 6) professionals and professional firms (lawyers, accountants, auditors, etc.); 7) auditors; 8) other companies, entities, and/or individuals that perform activities instrumental, supportive, or functional to the execution of contracts or services requested by you (e.g., envelope and mail sorting companies, carriers and transporters, sub-suppliers). These subjects will process and in turn communicate the data to third parties as "data controllers" or "external data processors" pursuant to Art. 28 or 29 of D. Lgs. 196/2003, for the same aforementioned purposes in the interest of our company. In the case of external managers, the processing will be based on our directives and under our general supervision regarding the security measures adopted.
E) Transfer of data abroad The information in this section applies from May 25, 2018. The Data Controller plans to transfer personal data to a third country or an international organization.
F) Mandatory or optional consent For the sole purposes specified in point B) from 1 to 3, your prior consent to the processing is not required, as the law allows our company to process them without your prior consent if there is a legitimate interest in processing; the communication of the data by the data subject to the data controller is mandatory; in case of opposition to processing for these limited purposes sub C from 1 to 3, the data controller will not be able to carry out contractual relations with the data subject. On the other hand, consent to processing for the purposes referred to in point C) from 4 to 6 is always optional, but any refusal to consent would make it impossible for the data controller to manage, according to our usual levels of efficiency, quality, and safety, the activities related to the relationship with the data subject and may be evaluated as a reason not to start or continue the contractual relationship. Regardless of what is stated in point A) above regarding the definition of "personal data". If the data subject is a supplier of the Data Controller based on a contract, the Data Controller by law in some cases may be held jointly liable towards third parties (without prejudice to the right of recourse against the data subject) for any failure or incorrect fulfillment by the data subject in relation to certain legal obligations, e.g., social security or remuneration; for this reason, it is possible that our company requests the data subject to communicate documents containing certain personal data of employees (e.g., Single Employment Book, receipts for salary payments) to verify your correct fulfillment of such obligations.
G) Data retention period The data will generally be processed for the entire duration of the contractual relationships established with the data subject, and subsequently, only for the duration necessary to fulfill our legal obligations (10 years). Some data (e.g., first and last name, company name and business name, VAT number, Tax Code, email, phone number, mobile phone, fax, PEC, legal address, names of internal contacts, etc.) are also stored after the aforementioned deadline, within the limits necessary to maintain the professional or company profile of the data subject and thus rationalize the selection and commercial contacts with customers and/or suppliers. Where personal data is processed for IT security purposes (e.g., log records), the data will be stored for the time required to carry out the security checks and evaluate their results; normally, these checks are completed within a maximum of 1 year from the time of collection. In case of extrajudicial or judicial disputes arising with the data subject and/or third parties, the data will be processed for the time strictly necessary to exercise the protection of the Data Controller's rights.
H) Data Controller of your personal data Mavment s.r.l. - Via Colle della Maddalena 4/A - 84095 Giffoni Valle Piana (Sa) - Italy - VAT No. IT05426900659, in the person of its legal representative pro tempore, domiciled at the company, email: firstname.lastname@example.org. The data controller has appointed one or more Data Processors. These managers can be internal or external to the Company. Internal managers belong to homogeneous functional company areas that need to process the data for the purposes indicated in this information, such as the purchasing office, the IT administration office, the logistics-warehouse office, marketing, etc. The main internal Privacy Delegate appointed is Mr. AVAGLIANO GIANMARCO, domiciled for the office at the Data Controller. External managers are all categories of external subjects to whom the company must communicate the data for the aforementioned purposes (when these external subjects do not assume the direct role of independent controllers due to the scope of management autonomy they have regarding the processing entrusted to them).
I) Rights Regarding personal data, the data subject can exercise the following rights: Art. 7 D. Lgs. 196/2003: Paragraph 1. (…): to obtain confirmation of the existence or non-existence of data concerning you, even if not yet registered, and their communication in an intelligible form; Paragraph 2 (…): to also obtain an indication a) of the origin of personal data; b) of the purposes and methods of processing; c) of the logic applied in case of processing carried out with the aid of electronic instruments; d) of the identification details of the data controller, the data processing managers; of the subjects or categories of subjects to whom the personal data can be communicated or who can learn about them as appointed representatives in the State, managers or agents. Paragraph 3 (…): to obtain a) The update, rectification, or, when interested, integration of data; b) the cancellation, transformation into anonymous form or blocking of data processed unlawfully, including data which retention is unnecessary for the purposes for which the data were collected or subsequently processed; c) the certification that the operations referred to in letters a) and b) have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case where this fulfillment proves impossible or involves the use of means manifestly disproportionate to the protected right; Paragraph 4 (…) to oppose, in whole or in part a) for legitimate reasons to the processing of personal data concerning you, even if pertinent to the purpose of the collection; b) to the processing of your personal data for the purpose of sending advertising material, direct selling, or for carrying out market research or commercial communication. Art. 8 D. Lgs. 196/2003: Paragraph 1: The rights referred to in Art. 7 are exercised by request addressed informally to the data controller or the manager, also through a manager, to which appropriate feedback is provided without delay. (…) Art. 9 D. Lgs. 196/2003: Paragraph 1. The request addressed to the data controller or the manager can be sent a) also by registered letter, fax, or email, b) if it concerns the exercise of the rights referred to in Art. 7 paragraphs 1 and 2, even orally and in this case, it is briefly noted by the manager or the manager. Paragraph 2. In exercising the rights mentioned above, the data subject may confer, in writing, delegation or written proxy to individuals, entities, associations, or bodies. The data subject can also be assisted by a trusted person. Paragraph 3. The rights referred to in Art. 7, concerning personal data relating to deceased persons, can be exercised by anyone who has a specific interest or acts to protect the data subject or for family reasons deserving protection. Paragraph 5. The request referred to in Art. 7 paragraphs 1 and 2 can be renewed by the data subject, unless there are justified reasons, with an interval of not less than ninety days.
Starting from May 25, 2018, the data subject will have the right to ask the data controller for access to personal data and their correction or deletion without undue delay or the limitation of the processing concerning him or her or to oppose their processing; will also have the right to withdraw consent at any time for one or more specific purposes of their personal data (ordinary and/or sensitive), it being understood that this will not affect the lawfulness of the processing based on the consent given before the withdrawal.
Furthermore, the data subject, pursuant to Art. 20 of the EU privacy regulation 679/2016, starting from May 25, 2018, has the right to receive in a structured, commonly used, and machine-readable format the personal data concerning him or her provided to the Data Controller and has the right to transmit such data to another data controller without hindrance from the Data Controller to whom they were provided, if the following condition (cumulative) is met:
a) the processing is based on the consent of the data subject for one or more specific purposes (Art. 6 par. 1 letter a) EU Reg.), or on the consent of the data subject concerning the processing of sensitive data and i.e., revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data intended to uniquely identify a natural person, data relating to health or sex life or sexual orientation (Art. 9 par. 2 letter a) EU Reg.), or on a contract to which the data subject is a party and whose execution the processing is necessary (Art. 6 par. 1 letter b) of the EU Reg.); and
b) the processing is carried out by automated means (software). In exercising their rights relating to data portability as described above, the data subject has the right to obtain the direct transmission of personal data from one data controller to another, if technically feasible.
The exercise of the so-called right to portability as illustrated above does not affect the right to cancellation ("right to be forgotten") provided for by Art. 17 of the EU privacy regulation 679/2016. For a complete examination of the rights due to the data subject from May 25, 2018, the same is invited to consult the text of articles 15, 16, 17, 18, 19, 20, 21, 22 of the EU privacy regulation 679/2016.
L) Complaint The data subject at any time has the right to file a complaint with the European Data Protection Supervisor using the link: http://www.edps.europa.eu/EDPSWEB/edps/lang/it/EDPS, or with the Italian privacy guarantor.