For the management of contractual relationships with the data subject, DGI, as data controller, processes certain data, defined as “personal”. Pursuant to EU Regulation 2016/679 (“GDPR”), in particular Articles 13 and 14 thereof, and the national legislation in force on the protection of personal data, the data controller is required to provide information on the processing of personal data and the rights to which the data subject is entitled.
We kindly ask you to carefully read this privacy notice, which concerns the processing of personal data of customers and suppliers who are natural persons, as well as of natural persons acting on behalf of customers and suppliers.
Personal data collected and processed are:
The personal data may be collected
• directly from the data subject or
• from publicly accessible sources (e.g. documents published in chambers of commerce, etc.)
The Data Controller will process personal data for the following purposes
Purpose I: performance of the agreement to which the customer/supplier is a party or processing of the customer’s/supplier’s pre-contractual requests. Legal basis of the processing: fulfillment of the contractual obligations or performance of pre-contractual activities requested by the data subject. In the absence of such data, the performance of the agreement or the supply of what requested by the customer/supplier will be impossible. Data retention period: retention period necessary to fulfill the pre-contractual request or period necessary to perform the agreement.
Purpose II: activities required by law, including tax, health and safety at work, environment, anti-money laundering, banking and public security law. Legal basis of the processing: need to comply with the law. Data retention period: retention period required by law.
Purpose III: administrative management of the customers/suppliers (commercial offers, purchase orders, invoices, delivery notes and other documents related to the contractual relationship possibly containing your personal data). Legal basis of the processing: legitimate interest of the Data Controller in the proper business management, also for the purpose of complying with the law. Data retention period: duration of the contractual relationship with the customer/supplier.
Purpose IV: purpose of judicial protection, to prevent or prosecute infringements. Legal basis of the processing: the legitimate interest in protecting our rights and in preventing infringements. Data retention period: it is equal to the period reasonably necessary to enforce our rights from the moment we become aware of the offence or of its potential commission.
The provision of data is necessary for the fulfilment of contractual terms and therefore any refusal to provide such data or to allow it to be processed will make it impossible for us to carry out the regular execution of the contractual relationship with data subject.
Personal data are collected and processed in accordance with the principles of correctness, lawfulness, transparency and protection of the confidentiality and rights of the data subject.
The processing of personal data is carried out, in compliance with the provisions of the GDPR and current legislation, by means of manual, paper, computer and telematic tools, so as to ensure the security and confidentiality of the data.
The Data Controller adopts appropriate security measures to prevent unauthorised access, disclosure, modification or destruction of personal data.
The data are processed at the Data Controller’s premises and at the systems of its service providers.
For the same purposes indicated above, the data collected will be processed by subjects involved in the organisation of the Data Controller qualified as authorised or external subjects (such as external consultants, service suppliers, etc), as data processors, with whom the Data Controller has signed a specific agreement for the processing of personal data pursuant to Article 28 GDPR. .
Should data be transferred to third countries, the Data Controller undertakes to enter into data processing agreements pursuant to article 28 GDPR with standard clauses in accordance with the decision of the European Commission concerning protection clauses or to transfer them by virtue of a decision of adequacy of the European Commission on data protection levels. Such parties located in third countries take only possession of the personal data which are necessary for the fulfillment of their obligations and can use it only to perform the services on behalf of the Data Controller or to comply with provisions of law.
You may obtain the updated list of the data processors at any time by writing to the Data Controller’s address mentioned above.
Personal data may also be disclosed to judicial or administrative authorities where required.
The data subject may exercise the following rights with regard to the data processed by the Data Controller:
Lodge a complaint. The data subject may lodge a complaint with the Data Protection Authority
You can exercise such rights by writing to the Data Controller’s address mentioned above.
The Data Controller reserves the right to make changes to this policy at any time by informing data subjects.