Information on the processing of personal data of customers and suppliers
Art. 13 EU Reg. 2016/679
With this document, the company Landini S.r.l. informs its customers and suppliers of the ways in which their personal data will be processed, in accordance with art. 13 of the EU Reg. 2016/679. Only data related to natural persons are considered to be personal data, while data relating to companies and legal entities are not included in this information.
The Data Controller
The data controller is the company Landini S.r.l., VAT number 00284470978, which can be contacted at the following addresses: Via Milano, 29, 59013 Montemurlo (PO), IT, Tel. +39 0574/655181, e-mail: firstname.lastname@example.org, PEC: email@example.com
Type of data processed
In respect ofits customers and suppliersbeing natural persons, the Controllerwill only process non-sensitivedata. By way of example and not being an exhaustivelist, data such asthe following may be processed: name and surname, address, tax code, VAT number, telephone number, e-mail address, bank details necessary to make and/or receive payments, products purchased.
Data relating to legal entities (e.g.company name, registered office, VAT number, companytelephonenumbersand e-mails,etc.) are not personal data and do not fall within the scope of this statement. However, with reference to clients and suppliers being legal entities, some data of natural persons indicated as legal representatives or contacts may be processed. Also in this case,only non-sensitive data will be processed, in particular the contact data required for communication (e.g.personal telephone number or personal e-mail).
Neither personal data beingspecial categories of personal data pursuant to art. 9 of EU Reg. 2016/679 (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data related to health or a natural person’s sex life or sexual orientation), nor data relating to criminal convictions and offences pursuant to art. 10 EU of Reg. 2016/679will be processed.
Purposes and criteria of lawfulness of the processing
Personal data mentioned above are processed for the following purposes:
– To allow the performanceand correct preparation of contracts with customers and suppliers
For the aforementioned purpose, all data necessary for the performanceof the contract are processed, such as the name and surname of the customer or supplier, shipping address, and purchased products. In order to process the data for the aforementioned purpose, the consent of the data subject is not required. The lawfulness of the processing is based on its necessity in order to performthe contract pursuant to art. 6 b) of EU Reg. 2016/679.
– To allow the fulfillment of legal obligations in accounting and tax matters
The name and surname, address, tax code, VAT numberandproducts purchased are processed for this purpose. In order to process the data for the aforementioned purpose, the consent of the data subjectis not required. The lawfulness of the processing is based on its necessity in order to fulfill the legal obligations in accounting and tax matters pursuant to art. 6 c) of EU Reg. 2016/679.
– To allow email communications for direct marketing purposes
This processing purpose only concerns customers and not suppliers. To this end, the e-mail address provided by the data subjects in the context of the sale of a product or service (associated with the name and the product or service purchased) is processed to promote the sale of products or services similar to those previously sold. The lawfulness of the processing is based on the legitimate interest of the Data Controller pursuant to art. 6, lett. f Reg. 2016/679, on the basis of the balancing of interests carried out by the Italian Authority with the provision n. 330 of 4 July 2013 (Guidelines on promotional activities and the fight against spam). The interested party can refuse this processing at any time.
The refusal to provide data necessary for the performanceof the contract and to fulfill legal obligations renders the performance ofthe contractimpossible.
The Data Controller may entrust some processing of personal data of its customers and suppliers to external parties (such as consultants, accountants, hosting providers, cloud computing service providers, IT system maintainers, etc.), both legal entities and natural persons, ensuring they arecontractually bound tomaintain maximum confidentiality in respect of thepersonal data and to treat thepersonal datain compliance with the guarantees and adequate security measures required by EU Reg. 2016/679.
Persons in charge of processing
In addition to the Controllerand processors, the personal data of customers and suppliers may be processed by personnel in charge. These subjects have been expressly appointed as persons in charge of processingpersonal data and have been provided with the necessary instructions to ensure the protection and confidentiality of personal data.In the event that the processing of some personal data is entrusted to external parties, the Data Controller will instruct them in accordance with art. 29 EU Reg. 2016/679 in order to ensure compliance with the obligations of confidentiality.
Other recipients of personal data
In order to allow the Controller to fulfill his tax obligations, some data may be transferredto the Tax Agency.
In order to allow the Data Controller to cover risks, some personal data may be disclosed to insurance companies.
The Data Controller may communicate personal data of a data subject to public authorities in the event that heis obliged to do so by law or by court order.
The natureof processing
Personal data of customers and suppliers can be processed either electronically or through paper archives. Customers and suppliers data are processed using a company management software and are stored on a server inside the company.
The Controller ensuresappropriate measures to protect the personal data of its customers and suppliersare takenin proportion to the degree of risk they entail.
The duration of processing
Personal data necessary for the performanceof a contract will be kept for the duration necessary to perform the contract.
The e-mail address can be stored together with the name and surname of the data subject and the product or service purchased for a period of additional 24 months from the termination of the contract, in order to communicate information about the services already purchased.Contact details of natural persons (such as telephone number and e-mail address) may be kept for a longer period of timein relation to regular customers/suppliers. This,in order to avoid asking for the same data every time, slowing down the work of both parties.Oncean appropriate time period, which is considered to quantify in 24 months,has elapsed since the last contact, the Controlleragrees to erasethese data as well. The data subject is free to ask the deletion of these data at any time.
Personal data necessary for the fulfillment of tax and accounting obligations are kept, in digital format and/or in paper format, for the duration of 10 years, in compliance with legal obligations given by art. 2220 of the Italian Civil Code.
Rights of the data subject
With reference to the above mentioned processing, the data subject has the following rights.
The data subjecthas the right to ask the Controller,at any time,to accesspersonal data concerning him and that are processed by the latter, pursuant to art. 15 of EU Reg. 2016/679.
He also has the right to ask for the rectification of inaccurate data and for the integration of incomplete data, pursuant to art. 16 EU Reg. 2016/679.
The data subject has the right to obtain the erasure of data that are no longer necessary for the purpose for which they are processed, of those processed on the basis of his consent when the latter is revoked, of those that are unlawfully processed, etc. In order to know the other cases in which he can obtain the erasure, the data subject can refer to the art. 17 EU Reg. 2016/679.
The data subject has the right to obtain the restriction of the processing of his data pursuant to art. 18 EU Reg. 2016/679, the portability of data pursuant art. 20 of the EU Reg. 2016/679, as well as the right to object to the processing pursuant to art. 21 EU Reg. 2016/679.
In the event that the data subject believes there has been a violation in the processing of his data, he may file a complaint with the relevant supervisory authority for the processing of personal data.
The data subject can not oppose the processing or demand the erasure of data that the Controller is obliged to process for the fulfillment of accounting and tax obligations or other legal obligations.
For any communication or request or to exercise hisrights regarding the processing of personal data, the data subject may contact the Data Controller using the above contact information.