Information suppliers and potential suppliers

Information pursuant to art. 13 and 14 of Regulation (EU) 2016/679 – GDPR, D.Lgs. 196/2003 and D.Lgs. 101/2018 – suppliers

This English Translation is provided for customers’ convenience only. Only the original Italian text is legally binding. Should there be discrepancies between the Italian and the English Versions, the Italian text will prevail. This notice describes the processing which is performed on personal data of suppliers pursuant to Regulation (EU) 2016/679. The processing is carried out through the use of electronic and paper tools and the data controller adopts appropriate technical and organizational security measures suitable to prevent the loss of data, illicit or incorrect use and unauthorized access.

1. Data controller

Ciotola S.R.L. registered office in Piazza De Gasperi, 18, 35131 Padua (PD), Italy | VAT number IT03677800280 | E-mail: privacy@ciotolasrl.it

2. Purpose of processing

a) Contact the supplier to request good/services. The data controller can find the data on the web or receive them from subjects authorized by the data subjetc.

Data processed:

  • identification data (name, surname, address, telephone number).

Legal basis:

  • legitimate interests pursued by the controller [art. 6, paragraph 1, poin f) and recital 47 of GDPR].

Duration of the processing and storage periods:

  • 24 months from collection.

Recipients:

  • persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Personal data will not be transferred to other subjects or disseminated without the data subject’s consent.

b) The data subject contacts the data controller ti propose good/services and to send commercial offers. Data processing is necessary for the indicated purpose. Failure to provide the data does not allow to respond to the supplier.

Data processed:

  • identification data (name, surname, telephone number).

Legal basis:

  • processing is necessary in order to take steps at the request of the data subject prior to entering into a contract [art. 6, paragraph 1 point b) GDPR].

Duration of the processing and storage periods:

  • 24 months from collection.

Destinatari:

  • persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Personal data will not be transferred to other subjects or disseminated without the data subject’s consent.

c) Supply of goods and services. Data processing is necessary for the indicated purpose. Failure to provide the data does not allow to supply of goods and services.

Data processed:

  • identification data (name, surname, fiscal code);
  • contact details (telephone number, e-mail addresses).

Legal basis:

  • processing is necessary for the performance of a contract to which the data subject is [art. 6, paragraph 1 point b) GDPR].

Duration of the processing and storage periods:

  • 10 years from the end of the contract.

Recipients:

  • persons who, under the direct authority of the controller or processor, are authorised to process personal data.
  • data processor (art. 28 of Reg. UE 2016/679 GDPR) – the updated list of data processors is available at the data controller’s office.

Personal data will not be transferred to other subjects or disseminated without the data subject’s consent.

d) Receive invoices from the supplier and electronic processing of accounting data. Processing is necessary to fulfil the contractual obligations for payment and for compliance with a legal obbligation to which the controller is subject.

Data processed:

  • identification data (name, surname, fiscal code);
  • contact details (telephone number, e-mail addresses;
  • economic situation relating to contracts between the controller and the supplier.

Legal basis:

  • processing is necessary for the performance of a contract to which the data subject is [art. 6, paragraph 1 point b) GDPR];
  • processing is necessary for compliance with a legal obbligation to which the controller is subject [art. 6, paragraph 1 point c) GDPR].

Duration of the processing and storage periods:

  • 10 years from receipt of the last invoice.

Recipients:

  • persons who, under the direct authority of the controller or processor, are authorised to process personal data.
  • data processor (art. 28 of Reg. UE 2016/679 GDPR) – the updated list of data processors is available at the data controller’s office.

Personal data will not be transferred to other subjects or disseminated without the data subject’s consent.

3. Transfer data to a third countries or international organisations

Personal data may be transferred to a third countries or international organisations. In case of data transfer, the limits and conditions set out in the specific articles of EU Reg. 2016/679 – GDPR are respected. The data subject can obtain information on data transfer by writing an email to the address privacy@ciotolasrl.it. 

4. Rights of the data subject

The data subject can exercise their rights as written in Articles 15 (right of access), 16 (right to rectification), 17 (right to erasure-right to be forgotten), 18 (right to restricting of processing), 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing), 20 (right to data portability), 21 (right of object), 22 (automated individual decision-making, including profiling) of Regulation UE 2016/679, by contacting the controller at the email address privacy@ciotolasrl.it. The data subject has the right, at any time, to ask the controller to access personal data, to rectify, erasure them, restrict the processing and the portability of data. The data subject has the right to object, at any time he has the right to revoke the consent given without prejudice to the lawfulness of the treatment based on the consent before the revocation. To request the deletion of data used for direct marketing activities, simply write an e-mail to privacy@ciotolasrl.it at any time with the subject “cancellation from advertising lists”. If the data subject believes that the processing of data violates the provisions of Regulation UE. 2016/679 – GDPR, pursuant to art. 77 of EU Reg. 2016/679 – GDPR data subject has the right to make a complaint to the Supervisory Authority: Garante per la protezione dei dati personali (www.garanteprivacy.it).

5. Modifications

This document may be updated if the processing activities, processing methods or applicable legislation change. In this case, the data controller will notify the data subjects. Detailed documents may be drawn up for specific or occasional processing that is not present in this document. Specific or different information relating to other processing may be contained in procedures and regulations issued by the data controller.