Clients/suppliers (concerned by data processing) and their representatives (hereinafter referred to as “data subjects” pursuant to Article 4 paragraph 1 of the GDPR) are hereby informed that the professional relationships established with the undersigned Controller may entail the processing of personal data, in compliance with the following general principles:
- all data are processed in a lawful, fair and transparent way for the data subject, in compliance with the general principles set forth by Article 5 of the GDPR;
- specific security measures are taken to prevent the loss, unlawful or unfair use of or unauthorised access to data;
- the Data Controller is Ikron S.r.l., via C. Prampolini 2 – 43044 Lemignano – Collecchio; 0521-304911; e-mail: firstname.lastname@example.org
- the Controller whom can be contacted in order to exercise all the rights provided for by articles 15-21 of the GDPR (right of access, rectification, erasure, limitation, portability, objection) as well as to withdraw a previously given consent or lodge a complaint with a data protection supervisory authority.
DATA UNDERGOING PROCESSING
The Controller processes personal identification data of the client/supplier (e.g. name, surname, company name, personal/tax data, address, telephone number, e-mail, bank and payment reference data) and of his/her representatives (name, surname and contact details) acquired and used during the provision of services by the Controller.
LEGAL BASIS AND PURPOSES OF THE PROCESSING
Data are processed:
- to establish contractual/professional relationships;
- to fulfil pre-contractual, contractual and tax obligations arising in relation to the existing relationships, as well as to manage the required notices connected with them;
- to fulfil legal obligations, or obligations set forth by a regulation, the EU legislation or by an order issued by the Authority;
- in order for the Controller to exercise a legitimate interest as well as a right (e.g.: right of defence of legal claims, protection of claims; ordinary internal operational, management and tax needs).
A non-provision of said data will prevent the establishment of the relationship with the Controller. In accordance with Article 6 paragraphs b,c,f, the above-mentioned purposes provide an appropriate legal basis for the lawfulness of the processing. Should the processing be carried out for different purposes, specific consent shall be required from the data subjects.
Personal data are processed by means of the operations indicated in Article 4 no. 2) GDPR, more specifically: collection, recording, organisation, storage, consultation, processing, alteration, selection, retrieval, alignment, use, combination, denial, disclosure, erasure and destruction of data. Personal data are processed both by paper and by electronic and/or automatic means. The Controller shall process personal data for the amount of time required to fulfil the purposes for which they have been collected and the related legal obligations.
SCOPE OF THE PROCESSING
Data are processed by internal individuals, who are duly entitled and instructed to the processing in compliance with Article 29 of the GDPR. The scope of disclosure of personal data may also be requested, obtaining precise indications as to whether there are external individuals acting in the capacity of autonomous Processors or Controllers (consultants, specialists, bank institutions, carriers, etc.). It is also hereby stated that personal data may be subject to an intercompany disclosure among the Group’s companies. Data are not disclosed or handed over to extra-EU countries. Should it be necessary, within the context of tender procedures or contracts or for the fulfilment of regulatory obligations (e.g.: joint liability, anti-corruption, anti-mafia, anti-money laundering, etc.) acquiring from clients/suppliers their employees’ personal data, the parties hereby agree that the undersigned company shall be authorised to the processing of such data in the capacity of External Processor (Article 28 of the GDPR) or of authorised subject (Article 29 of the GDPR). Within such relationship, the undersigned company commits itself to processing such data in compliance with the compliance requirements provided for by the GDPR, ensuring that it will only disclose data to other subjects within the context of specific legal obligations.
RIGHTS OF THE DATA SUBJECT (GDPR Articles 15-22)
At any time, the data subject may exercise the right to:
- ask for confirmation of the existence or otherwise of their personal data;
- obtain information about the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be communicated, and, where possible, the period of time for which the data will be stored;
- obtain the rectification or erasure of the data;
- obtain the restriction of the processing;
- obtain the portability of the data, i.e. receive them from one data controller, in a commonly used, structured format that can be read by an automatic device, and transmit them to another data controller without impediment;
- object to the processing at any time, including in the case of processing for direct marketing purposes;
- object to an automated decision-making process relating to individuals, including profiling;
- file a claim with the Italian Data Protection Supervisor.