INFORMATION PROVIDED PURSUANT TO ARTS. 13 and 14 of REGULATION (EU) 2016/679 regarding the processing of the personal data of clients, prospect, suppliers and potential suppliers, and their employees and collaborators

Dear Sir / Dear Madam,

European Regulation (EU) 2016/679 (hereinafter the “GDPR”) establishes the laws on the protection of natural persons with regard to the processing of personal data, as well as the free movement of such data. In compliance with the principle of transparency, pursuant to Art. 5 of the GDPR, please be informed that during performance of a contract with its clients and suppliers, in performance of any controls, checks or audits it is subjected to, during precontractual negotiations or when comparing bids or calls for tender (hereinafter, in general, the “Business Relationship”), LA GALVANINA SPA may become aware of and process personal data (hereinafter the “Data”) concerning: a) the legal representative/owner; b) the employees/collaborators (hereinafter the “Data Subjects”) of client companies, prospect, suppliers and potential suppliers (hereinafter, for the sake of brevity, simply the ”Business Partners”).

Therefore, the Data Controller provides the following information for the Data Subjects. This information does not exclude that further information on the processing of personal data may be given to the Data Subjects, even using different methods and timescales. For any further information, doubts or clarification regarding the processing of Data, as well as to exercise the rights provided for Data Subjects by the GDPR, contact the Data Controller using the methods indicated below.

Data ControllerLA GALVANINA SPA
Tax Code/VAT No.:IT00142010404
With registered offices in Via della Torretta no. 2
Postcode 47923 – Rimini, Italy
(hereinafter the „Company or Data Controller„).
METHODS FOR CONTACTIONG THE DATA
CONTROLLER
Registered mail with return receipt to the registered office
E-mail to the following address: privacy@galvanina.com
CATEGORIES OF DATA PROCESSEDPUPOSES OF PROCESSINGLEGAL BASIS OF PROCESSING
1. The common personal data of the legal representative/owner of the Business Partner, consisting in: identification data (name and surname, identification document); contact data (phone number, email address); role.Data shall be processed to fulfil the Business Relationship between the Data Controller and the Business Partner, where the Data Subject is the legal representative/owner.Depending on each specific case, the processing of Data is necessary: for the performance of a contract to which the Data Subject is a party or in order to take pre-contractual steps at the request of the same (Art. 6, para. 1, letter b) of the GDPR); to comply with legal obligations to which the Data Controller is subject to (Art. 6, para. 1, letter c) of the GDPR (e.g. tax obligations, etc.)
2. The common personal data of the employees/collaborators of the Business Partner, consisting in identification data (name and surname); contact data (phone number, email address); data relating to their role.Data shall be processed to fulfil the Business Relationship between the Data Controller and the Business Partner the Data Subject works for or collaborates with.The processing of Data is necessary in order for the Data Controller to pursue its legitimate interest, consisting in the full and correct performance of the Business Relationship, pursuant to Art. 6, para. 1, letter f) of the GDPR.
3. The common personal data of the legal representative/owner of the Business Partner and its employees/collaborators, consisting in identification and contact data and data relating to their role.If applicable, the Data may also be processed:
 in the phase prior to precontractual negotiations to compare bids and/or calls for tender;
 to carry out any controls, checks or audits the Data Controller may be subjected to:
 to exercise or defend a right of the Data Controller relating to the Business Relationship
The processing of Data is necessary in order for the Data Controller to pursue its legitimate interest, pursuant to Art. 6, para. 1, letter f) of the GDPR.

PERIOD OF DATA RETENTION. Data are retained for the entire duration of the Business Relationship with the Business Partner and if relevant, for ten years following its interruption and/or in any case, in compliance with the provisions of applicable legislation on civil, fiscal and administrative matters relating to Data retention. The Data processed in the phase prior to drawing up a contract with the Partner or for checks, assessments and auditing activities shall be retained for the time strictly necessary to achieve the aforementioned purposes. Once the retention period indicated herein has elapsed, the Data shall be destroyed and rendered anonymous. Shorter or longer periods of data retention than those indicated above can be determined by specific laws, by legitimate requests/orders issued by the authorities or by participation of the Data Controller in legal proceedings that imply the processing of Data.

  1. PROCESSING METHODS
    Data shall be processed using paper and electronic methods, in compliance with the provisions on matters relating to the protection of personal data and in particular, the technical and organizational measures pursuant to Art. 32.1 of the GDPR, with observance of the precautionary measures that ensure its confidentiality, integrity and availability. The processing of data referred herein is not subject to automated decision-making processes.
  2. CATEGORIES OF DATA RECIPIENTS
    – Data are not subject to disclosure, unless this is required by law, by regulations or by European Community legislation.
    -Data may be communicated within the Company where necessary in order to fulfil a Business Relationship. In any case, the Data shall be processed by subjects who have been specially authorized by the Data Controller (for example, Company employees and collaborators, based on the role they cover) and have received specific operational instructions.
    – Subjects external to the Company may become aware of the Data. These are subjects who process the Data on behalf of the Data Controller as Data Processors (for example, data processing companies or companies that provide IT services) or who may legitimately become aware of the Data as independent data controllers (for example: public institutions, banks and credit institutes, legal consultants, members of the Data Protection Authority). Please be advised that the Data Controller has an updated list of external data processors, appointed pursuant to Art. 28 of the GDPR, that can be consulted by the Data Subject on request.
  3. ORIGINAL SOURCE OF DATA ANDA NATURE OF PROVISION OF DATA
    Data are provided by the Business Partner or else collected directly from the Data Subjects. Providing Data is necessary in order to fulfil the Business Relationship; any refusal to provide such Data may therefore, imply the impossibility for the Data Controller to fulfil the Business Relationship.
  4. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
    The Data Controller does not currently intend to transfer the Data towards countries not in the European Union/EEA. In any case, the Data Controller guarantees that any such transfer would take place:
    – in compliance with specific standard contract clauses approved by the European Commission pursuant to Art. 46 of the GDPR
    – towards countries the European Commission believes guarantee a suitable level of protection, in conformity with the provisions of Art. 44 and subsequent modifications and integrations of the GDPR.
    Any derogations to the above will only be made in compliance with Art. 49 of the GDPR.
  5. RIGHTS OF THE DATA SUBJECT – COMPLIANTS TO THE SUPERVISORY AUTHORITY
    By sending a registered letter with return receipt to the registered office of the Company or via email to the address indicated in the “Methods for Contacting the Data Controller” section above, the Data Subject can contact the Data Controller regarding the right to:
    a) access Data that concern him or her;
    b) rectification of such Data;
    c) erasure of the Data within the limits provided for by the GDPR;
    d) restriction of processing of Data should the conditions pursuant to Art. 18 of the GDPR apply;
    e) portability of Data in a structured format, in the cases referred to in Art. 20 of the GDPR;
    f) object to the processing of Data, pursuant to Art. 21 of the GDPR.

    Should the Data Subject believe that data processing breaches the GDPR, it shall have the right to complain to the Supervisory Authority. Please be advised that in Italy this is the “Garante per la Protezione dei Dati Personali”, based in Rome.