Privacy Policy for Suppliers

PRIVACY POLICY FOR SUPPLIERS

 

You can exercise the rights described above by writing to the company SAVIO S.P.A., with its registered office at Via Torino Strada Statale 25 n. 25 – 10050 CHIUSA DI SAN MICHELE (TO), or by sending an email to privacy@savio.it or a certified email (PEC) to hope57@legalmail.it.

Information on the processing of personal data pursuant to Article 13 of the European Regulation on the protection of natural persons with regard to the processing of personal data (hereinafter also GDPR no. 679/2016) addressed to suppliers of goods and services of SAVIO S.P.A.

The Data Controller, as defined and identified below, with this document (the “information”), informs you of the purposes and methods of processing your personal data and your rights as a “data subject” pursuant to GDPR no. 679/2016 and the Privacy Code (Legislative Decree no. 196/2003).

RECIPIENTS OF THIS INFORMATION

This information is addressed to freelancers, sole proprietors, and individuals (directors, legal representatives, executives, employees, and general contacts of legal entities), whose personal data the Data Controller must process in order to enter into or follow up on service or supply contracts with the legal entity.

KEY DEFINITIONS PROVIDED BY ARTICLE 4 OF GDPR NO. 679/16

  • Personal data
    Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, especially by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
  • Data processing
    Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure, or destruction.
  • Data Controller
    The natural or legal person, public authority, service, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; when the purposes and means of such processing are determined by Union or Member State law, the Data Controller or the specific criteria applicable to its designation may be laid down by Union or Member State law.
  • Data Processor
    The natural or legal person, public authority, service, or other body that processes personal data on behalf of the Data Controller.

 

 

  1. DATA CONTROLLER AND DATA PROCESSOR

The Data Controller is SAVIO S.P.A., with its registered office in CHIUSA DI SAN MICHELE (TO), Via Torino Strada Statale 25 n. 25, Tax Code and VAT number 12396890019, represented by the CEO Moshe Nash ABRAMOV.

An updated list of all appointed Data Processors is available at the Data Controller’s operational headquarters and will be provided upon written request addressed to the contacts listed below.

  1. TYPES OF DATA PROCESSED

The processing of your personal data takes place in compliance with the principles of fairness, lawfulness, and transparency.

The following common data are processed:

  • Identification and contact details (e.g., professional title, first name, last name, date of birth, address, phone number, email, and other contact details, tax code, VAT number, any identification number, other personal identification elements) of natural persons (professionals, sole proprietors, as well as legal representatives, directors, managers, employees, collaborators, and representatives of companies and/or other legal entities) with whom the Data Controller has direct contact for the overall management of the contractual relationship;
  • Other personal data that may be necessary for the conclusion and execution of the contract and for compliance with legal obligations for civil, accounting, and tax purposes;
  • Banking data for making payments required by the contract;
  • Special categories of data and judicial data within the whistleblowing procedure (reporting of unlawful conduct, as specified in the dedicated notice).

The data is provided directly by the data subject or collected from third parties (for example, from the company for which the data subject works).

 

  1. PURPOSES OF DATA PROCESSING

The processing of personal data will be carried out for the following purposes:

  • Establishment, management, and termination of the contract/order for supply, service, professional services, and/or the granting of related assignments and mandates;
  • Accounting, fiscal obligations, payments;
  • Inclusion of data in the supplier list and its updating;
  • Compliance with obligations provided by laws, regulations, and EU legislation, procedures established by certified management systems adopted by SAVIO S.P.A., the whistleblowing procedure, as well as provisions issued by public authorities and supervisory and control bodies;
  • Any other need related to the contractual relationship, even after its conclusion, such as the defense of a right or legal obligations.

 

  1. LEGAL BASES FOR DATA PROCESSING

The processing of the data mentioned above for the specified purposes is based on the following legal grounds:

  • Article 6(1)(b) GDPR (processing necessary for the performance of a contract to which the data subject is a party, or for the performance of pre-contractual measures taken at the request of the data subject);
  • Article 6(1)(c) GDPR (processing necessary for compliance with a legal obligation to which the Data Controller is subject);
  • Article 6(1)(f) GDPR (legitimate interest of SAVIO S.P.A. to protect its rights in all instances and to process the personal data of employees, directors, representatives, or administrators of the customer entity for the purpose of concluding, fulfilling, and executing the contract with the legal entity. In this case, your personal data will only be processed to the extent necessary for managing the existing relationship between the Data Controller and the legal entity for which you work);
  • For special categories of data and judicial data, possibly processed within the whistleblowing procedure (reporting of unlawful conduct), Article 9(1)(b) GDPR (the processing is necessary for fulfilling obligations and exercising specific rights of the Data Controller or the data subject in employment law, social security, and social protection, insofar as authorized by Union law or the laws of Member States or a collective agreement in accordance with the laws of Member States, with appropriate safeguards for the fundamental rights and interests of the data subject), Article 9(2)(f) GDPR (the processing is necessary for the establishment, exercise, or defense of legal claims), and Article 2-octies Legislative Decree No. 196/2003.

 

  1. NATURE OF DATA PROVISION AND CONSEQUENCES OF ANY REFUSAL
  • The provision of personal data is essential for the establishment of the contractual relationship.
  • Failure to provide the data will result in the impossibility for the Data Controller to conclude and execute the supply or service contract.
  • Regarding the reporting of unlawful conduct (whistleblowing), the provision of data is voluntary; any failure to communicate will prevent the activation of the related procedure.

 

 

  1. PROCESSING METHODS
  • The processing of all acquired data will be carried out using both paper-based and electronic tools, in compliance with personal data protection regulations and, in particular, the security measures provided by Article 32 of GDPR 679/16, ensuring that all necessary precautionary measures are taken to guarantee confidentiality and security.

 

  1. DATA RETENTION PERIOD

The data subject to this notice will be processed and stored by the Data Controller and by the entities appointed as Data Processors, as well as by authorized individuals, in compliance with the principle of proportionality:

  • For the entire duration of the supply/service contract and until the expiration of any legal or contractual warranties, unless further legal obligations and/or requests from competent authorities apply.
  • From the termination of the contractual relationship, for a maximum period of 10 years in compliance with the prescription period set by the civil code.
  • For compliance with tax obligations: for the entire duration of the contract, as well as for the following 10 years from the end of the fiscal year after the relevant one, to handle tax assessments/disputes.
  • For obligations set by the whistleblowing procedure, for the time necessary to process the report and in any case, no longer than 5 years from the date of communication of the final outcome of the reporting procedure, subject to specific obligations (e.g., judicial matters and the protection of rights/legitimate interests).
  • In the event of legal disputes, should it be necessary to defend or take action, or even assert claims against you or third parties, the Data Controller may retain personal data deemed reasonably necessary for such purposes and for as long as the claim can be pursued.

 

  1. SCOPE OF COMMUNICATION AND DISSEMINATION OF PERSONAL DATA

Your personal data may be communicated to the following subjects or categories of subjects:

  • Entities that the Data Controller relies on for the management of the supply/service contract:
  • Banks, for the payment of amounts due under the contract.
  • Entities managing the IT system of SAVIO S.P.A.
  • Entities managing the obligations required by the procedures and management systems adopted by the Company.
  • Certification bodies for the management systems adopted by the Company.
  • Corporate bodies of SAVIO S.P.A.
  • Entities handling administrative, legal, accounting, and tax obligations for the Data Controller.
  • Companies and consultants providing legal consultancy services.
  • Consultants or suppliers to whom the Data Controller assigns tasks for certain outsourced activities.
  • Insurance companies with which the Data Controller has agreements or relationships (e.g., for the reimbursement of expenses).
  • Authorities and supervisory and control bodies, and generally public or private entities with public functions.
  • Any other subjects to whom communication is required by applicable legal and/or contractual provisions.

The recipients mentioned above may, in some cases, act as independent Data Controllers and, in other cases, as Data Processors appointed by SAVIO S.P.A. pursuant to Article 28 of GDPR 679/16.

Your personal data will not be subject to dissemination unless required by law, regulation, or EU legislation.

The data will not be transferred outside the European Economic Area.

If necessary, SAVIO S.P.A. will act in compliance with the provisions of Chapter V of GDPR.

All measures will be adopted to ensure the protection of personal data, basing the processing on:

  • A decision of adequacy by the European Commission;
  • The existence of adequate safeguards under Article 46 of GDPR;
  • The adoption of Binding Corporate Rules under Article 47 GDPR.

SAVIO S.P.A. uses services and programs, including cloud services, such as Microsoft 365, whose servers and data centers are located within the European Union. For maintenance/diagnostic reasons related to the IT infrastructure and operational requirements of cloud services, as well as for cybersecurity reasons, Microsoft may perform operations from outside the EU/EEA.

In these cases, the EU-US Data Privacy Framework applies, to which Microsoft adheres, subject to an adequacy decision by the European Commission dated July 10, 2023 (all information is available on the following websites: https://www.microsoft.com/it-it/trust-center/privacy; https://www.microsoft.com/en-us/privacy/privacystatement and https://learn.microsoft.com/it-it/privacy/eudb/eu-data-boundary-transfers-for-all-services).

 

 

  1. RIGHTS RECOGNIZED TO THE DATA SUBJECT

At any time, you can exercise your rights with respect to the Data Controller and the Data Processor pursuant to Chapter III (Articles 12-22) of GDPR 679/16.

In particular, as a data subject, you have:

  • The right to access personal data held in paper and/or electronic records and to other information as provided by Article 15 of GDPR 679, namely:
  1. a) The purposes of the processing;
  2. b) The categories of personal data being processed;
  3. c) The recipients or categories of recipients to whom the personal data have been or will be communicated, especially if recipients are in third countries or international organizations;
  4. d) Where possible, the period for which personal data will be stored or, if not possible, the criteria used to determine that period;
  5. g) If the data have not been collected from third parties, all available information regarding their source.
  • The right to obtain the rectification of inaccurate personal data without undue delay. Considering the purposes of the processing, you also have the right to obtain the completion of incomplete personal data, possibly by providing a supplementary statement (Article 16 GDPR 679/16);
  • The right to obtain the erasure of personal data concerning you without undue delay if one of the grounds in Article 17, paragraph 1 of GDPR 679/16 applies;
  • The right to object to the processing and/or to obtain the restriction of processing when one of the cases referred to in Article 18, paragraph 1 of GDPR 679/16 applies;
  • The right to lodge a complaint with a supervisory authority, for Italy with the Data Protection Authority, according to the procedures set out on the institutional website www.garanteprivacy.it;
  • The right to data portability within the limits and in the manner provided by Article 20 of GDPR 679/16;
  • The right to object at any time, for reasons related to your particular situation, to the processing of personal data in the cases and in the manner set out in Article 21 of GDPR 679/16;
  • The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or significantly affects you in a similar way (Article 22 GDPR 679/16). This does not apply to decisions necessary for the conclusion or performance of a contract between you and the data controller; authorized by EU law or the law of the member state to which the Data Controller is subject (Italy in this case); or based on the explicit consent of the data subject.

The rights summarized above can be exercised by submitting a request to the Data Controller, including through an authorized representative, who will provide an appropriate response without delay. The request to the Data Controller, including through an authorized representative, must be sent by registered letter or email, including certified email (PEC).

In the case of receiving the request via email, the recipient will promptly provide confirmation of receipt and acknowledgment of the request.

Please note that the rights mentioned above may be subject to limitations, pursuant to Article 23 of GDPR 679/16 and Article 2 duodecies of the Privacy Code (Legislative Decree No. 196/2003) for reasons related to justice (including judicial processing of business and disputes). In these cases, you can still exercise your rights through the Data Protection Authority according to the procedures set out in Article 160 of the Privacy Code.

  1. CONTACTS

You can assert the rights described above by writing to the company SAVIO S.P.A., with registered office at Via Torino Strada Statale 25, No. 25 – 10050 CHIUSA DI SAN MICHELE (TO), or by sending an email to privacy@savio.it or a certified email (PEC) to hope57@legalmail.it.

Latest updates: January 2025