via Guarneri Zanetti, n. 22
26033 Pescarolo Ed Uniti (CR)
concerning the processing of personal data of customers/suppliers and their points of contact
EU Reg. 2016/679 – G. D. P.R.
General Data Protection Regulation
Articles 12, 13, 14
We would like to inform customers/suppliers and their points of contact (hereinafter referred to as “data subjects”, pursuant to Art. 4, paragraph 1, of the GDPR) that the professional relationships established with the undersigned data controller may involve the processing of personal data, in compliance with the following general principles:
- all data is processed in a lawful, correct, and transparent manner in relation to the data subject and in compliance with the general principles set out in Art. 5 of the GDPR;
- specific security measures are adopted to prevent loss of data, unlawful use or misuse thereof, and unauthorised access thereto;
- the Data Controller is the undersigned company, namely Lindbergh S.p.A., via Guarneri Zanetti 22, 26033 Pescarolo Ed Uniti (CR), Tel. 0372 836220, email@example.com
- the Data Controller has not appointed a Data Protection Officer as no data processing falls within the definition set out in Art. 37 of the GDPR (EU Reg. 2016/679).
SUBJECT OF THE PROCESSING
The Data Controller processes the personal identification data of the customer/supplier and their points of contact (for example, first name, surname, company name, identification /tax details, address, telephone number, email address, bank and payment details) and the data of their points of contact for operational activities (first name, surname, and contact details), such data being acquired and used as part of the activity carried out by the Data Controller.
PURPOSE AND LEGAL BASIS OF THE PROCESSING
The data is processed for the following purposes:
- to enter into contractual/business relationships;
- to meet pre-contractual, contractual, and tax requirements arising from existing relationships, as well as to manage the necessary communications connected to these;
- to meet requirements established by law, by a regulation, by EU legislation, or by an order issued by an authority
- to protect a legitimate interest as well as to exercise a right of the Data Controller (for example: the right of defence in court, the protection of credit; ordinary internal operational, managerial, and accounting needs).
Failure to provide the aforesaid data will make it impossible to establish a relationship with the Data Controller. The aforesaid purposes are, pursuant to Art. 6, paragraphs b, c, and f, appropriate legal bases for the lawfulness of the processing. If the Data Controller intends to process the data for different purposes, specific consent will be sought from the data subjects.
The processing of personal data may involve any of the operations stated in Article 4, paragraph 2) of the GDPR, and more precisely: collection, recording, organisation, storage, consultation, alteration, selection, retrieval, alignment, use, interconnection, blocking, disclosure, erasure, or destruction of data. Personal data will be processed using both paper and electronic and/or automated means. The Data Controller will process personal data for the length of time needed to the purposes for which it was collected and in accordance with related legal requirements.
SCOPE OF THE PROCESSING
The data is processed internally by authorised personnel who have received training pursuant to Art. 29 of the GDPR. It is also possible to request the scope of disclosure of personal data, obtaining precise information on any external parties who or which operate in the capacity of data processors or independent data controllers (consultants, technicians, banks, haulage firms, etc.). You are also advised that personal data may be disclosed within intercompany communications between or among the companies in the Group. The data is not disclosed or transferred to non-EU countries. If it is necessary, in the context of calls for tender/contracts or to meet regulatory requirements (e.g. on joint liability, anti-corruption, anti-mafia, anti-money laundering, etc.), to acquire personal data from customers/suppliers about their employees, it is agreed between the parties that the undersigned company will be entitled to process such data as an external processor (Art. 28 GDPR) or an authorised party (Art. 29 of the GDPR). As part of this relationship, the undersigned company undertakes to process such data in accordance with GDPR compliance requirements, guaranteeing that any disclosure thereof to other parties will take place exclusively within the scope of specific legal requirements.
RIGHTS OF THE DATA SUBJECT (GDPR Articles 15-22)
The data subject may exercise, at any time, the right to:
- seek confirmation of the existence or otherwise of their personal data.
- obtain information on the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data has been or will be disclosed and, when possible, the retention period.
- obtain the rectification and erasure of data.
- obtain processing restrictions.
- obtain data portability, i.e. to receive the data from a data controller in a structured, commonly used, and machine-readable format, and transmit the data to another data controller without hindrance.
- object to the processing at any time, including therein in the event of processing for direct marketing purposes.
- object to an automated decision-making process relating to natural persons, including profiling.
- file a complaint with the Italian data protection authority (known as the Garante).