GDPR information for suppliers and customers

For the management of contractual relationships with the data subject, DGI, as data controller, processes certain data, defined as “personal”. Pursuant to EU Regulation 2016/679 (“GDPR”), in particular Articles 13 and 14 thereof, and the national legislation in force on the protection of personal data, the data controller is required to provide information on the processing of personal data and the rights to which the data subject is entitled.

We kindly ask you to carefully read this privacy notice, which concerns the processing of personal data of customers and suppliers who are natural persons, as well as of natural persons acting on behalf of customers and suppliers.

Data controller

The Data Controller is:
Via A. Aleardi, 12 20154 MILANO – MI

Personal data collected

Personal data collected and processed are:

  • Identification data: surname and first name
  • Contact data: postal address, country, telephone number, e-mail address, certified e-mail address, billing/shipping address.
  • Bank details for payment of invoices for services provided

Source of data

The personal data may be collected
• directly from the data subject or
• from publicly accessible sources (e.g. documents published in chambers of commerce, etc.)

Purpose and legal basis of processing – data retention period

The Data Controller will process personal data for the following purposes

Purpose I: performance of the agreement to which the customer/supplier is a party or processing of the customer’s/supplier’s pre-contractual requests. Legal basis of the processing: fulfillment of the contractual obligations or performance of pre-contractual activities requested by the data subject. In the absence of such data, the performance of the agreement or the supply of what requested by the customer/supplier will be impossible. Data retention period: retention period necessary to fulfill the pre-contractual request or period necessary to perform the agreement.

Purpose II: activities required by law, including tax, health and safety at work, environment, anti-money laundering, banking and public security law. Legal basis of the processing: need to comply with the law. Data retention period: retention period required by law.

Purpose III: administrative management of the customers/suppliers (commercial offers, purchase orders, invoices, delivery notes and other documents related to the contractual relationship possibly containing your personal data). Legal basis of the processing: legitimate interest of the Data Controller in the proper business management, also for the purpose of complying with the law. Data retention period: duration of the contractual relationship with the customer/supplier.

Purpose IV: purpose of judicial protection, to prevent or prosecute infringements. Legal basis of the processing: the legitimate interest in protecting our rights and in preventing infringements. Data retention period: it is equal to the period reasonably necessary to enforce our rights from the moment we become aware of the offence or of its potential commission.

Provision of personal data

The provision of data is necessary for the fulfilment of contractual terms and therefore any refusal to provide such data or to allow it to be processed will make it impossible for us to carry out the regular execution of the contractual relationship with data subject.

How personal data are processed

Personal data are collected and processed in accordance with the principles of correctness, lawfulness, transparency and protection of the confidentiality and rights of the data subject.

The processing of personal data is carried out, in compliance with the provisions of the GDPR and current legislation, by means of manual, paper, computer and telematic tools, so as to ensure the security and confidentiality of the data.

The Data Controller adopts appropriate security measures to prevent unauthorised access, disclosure, modification or destruction of personal data.

The data are processed at the Data Controller’s premises and at the systems of its service providers.

Recipients or possible categories of recipients of personal data

For the same purposes indicated above, the data collected will be processed by subjects involved in the organisation of the Data Controller qualified as authorised or external subjects (such as external consultants, service suppliers, etc), as data processors, with whom the Data Controller has signed a specific agreement for the processing of personal data pursuant to Article 28 GDPR. .

Should data be transferred to third countries, the Data Controller undertakes to enter into data processing agreements pursuant to article 28 GDPR with standard clauses in accordance with the decision of the European Commission concerning protection clauses or to transfer them by virtue of a decision of adequacy of the European Commission on data protection levels. Such parties located in third countries take only possession of the personal data which are necessary for the fulfillment of their obligations and can use it only to perform the services on behalf of the Data Controller or to comply with provisions of law.

You may obtain the updated list of the data processors at any time by writing to the Data Controller’s address mentioned above.

Personal data may also be disclosed to judicial or administrative authorities where required.

Data subject’s rights

The data subject may exercise the following rights with regard to the data processed by the Data Controller:

object to the processing of their data. The data subject may object to the processing of their data when it is done on a legal basis other than consent.
Access to their own data. The data subject has the right to obtain information on the data processed by the Data Controller, on certain aspects of the processing and to receive a copy of the processed data.
verify and request rectification. The data subject may verify the correctness of their data and request that it be updated or corrected.
obtain restriction of processing. When certain conditions are met, the data subject may request the restriction of the processing of their data. In this case, the Data Controller will not process the data for any purpose other than its storage.
obtain the erasure (right to be forgotten) or removal of their personal data. When certain conditions are met, the data subject may request the erasure of their data by the Data Controller.
receive their data or have it transferred to another data controller (portability). The data subject has the right to receive their data in a structured, commonly used and machine-readable format and, where technically feasible, to have it transferred without hindrance to another data controller. This provision is applicable when the data are processed by automated means and the processing is based on the data subject’s consent, on a contract to which the data subject is party, or on related contractual measures.
Lodge a complaint. The data subject may lodge a complaint with the Data Protection Authority

How to contact us

You can exercise such rights by writing to the Data Controller’s address mentioned above.

Amendments to this notice

The Data Controller reserves the right to make changes to this policy at any time by informing data subjects.

EU Regulation 2016/679 (“GDPR”): processing of personal data. Privacy Policy– information pursuant to art. 13 and 14 GDPR. Version update: February 1, 2021

Please rotate screen to portrait mode