Basic Privacy Statement Suppliers - SISMA

Basic Privacy Statement – Suppliers

 

Who is the data controller?

Sisma S.p.A. hereinafter referred to as the Data Controller

Address: Via Industria 1 (36013) Piovene Rocchette (VI)

Tel.:

Email: privacy@sisma.com

Who is the Data Protection Officer?

DPO

dpo@sisma.com

Who are the recipients?

external data processors and any additional data controllers

o   Any suppliers involved in the administrative and accounting management

o   IT consultants

o   Group companies to which the Data Controller belongs.

 

What will be done with your personal data?

Personal data will be processed:

The data will be processed on the basis of:

The personal data concerning you are:

for the execution and management of the contractual relationship established

·               activities planned upon agreement of the contract

·               contract

·               fulfilment of activities resulting from the relationship established and governed for the reference sector of the data controller

o   name, surname

o   tax code or VAT number

o   place and date of birth

o   address

o   telephone number

o   email

o   identification code

o   current account number

o   data relating to criminal convictions and/or offences exclusively in the case of litigation

for archiving and retention

·      contract, for its entire duration

·      fulfilment of obligations resulting from the established relationship, such as (accounting and exercise of rights dependent on the contract)

for communication to recipients and/or third parties depending on the contractual relationship and the obligations deriving from it

·       fulfilment of obligations deriving from the relationship established

·       legitimate interest of the data controller or third parties and recipients

for the fulfilment of IT security obligations

·       fulfilment of obligations deriving from the relationship established

·       legitimate interest of the data controller or third parties and recipients

o   logical accesses

o   data relating to the authorisation profiles in the case assigned

o   data traffic (connection to the public and/or company network)

 

 

 

 

The following personal data were not provided directly by you

Data relating to criminal convictions, offences and/or related security measures

Information relating to commercial and/or professional activities

IT data

 

What is the origin of the personal data not provided by you?

other data controllers, e.g. Group companies to which the Data Controller belongs.

lists kept by public authorities or under their authority or similar bodies based on specific national legislation

IT services provider

 

The Data Controller informs you that you can exercise the right of complaint to the competent Authority and the other rights provided for by arts. 15 et seq. of the European Regulation (EU) 2016/679 at any time.

 

For more information, see the complete privacy statement in the privacy section of the website www.sisma.com or contact us at privacy@sisma.com.

 

 

 

Full Privacy Statement – Suppliers

 

About us and what we do with your personal data

Sisma S.p.A., with registered office in Via Industria 1, (36013) Piovene Rocchette (VI) (hereinafter also the Data Controller), in its capacity as data controller, is concerned with the confidentiality of your personal data and guarantees that they will be protected against any event that may put them at risk of breach.

To this end, the Data Controller implements policies and practices regarding the collection and use of personal data and the exercise of the rights recognised by the applicable legislation. The Data Controller is responsible for updating the policies and practices adopted for the protection of personal data whenever necessary and in any case in the event of regulatory and organisational changes that could affect the processing of your personal data.

 

The Data Controller has appointed a Data Protection Officer (DPO) who you can contact if you have questions about the policies and practices adopted: dpo@sisma.com

 

 

 

How and why does the Data Controller collect and process your personal data?

The Data Controller collects and/or receives information about you, such as:

  • name, surname
  • tax code or VAT number
  • place and date of birth
  • address
  • email
  • telephone number
  • identification code
  • current account number
  • data relating to criminal convictions and/or offences exclusively in the case of litigation

 

The personal data concerning you will be processed for the following purposes:

 

1) the management of the contractual supply relationship and the consequent obligations, including regulatory

 

Purpose

Legal basis

– management of the contractual relationship in all its phases, from negotiations to settlement, whatever the cause

–  monitoring and updating of the conditions of supply and/or services and assignments

– registration, invoicing and accounting

Performance of contractual and pre-contractual activities

 

Fulfilment of legal obligations and dependent on the contract and the relationship established, inter alia, like those deriving from:

–        Presidential Decree no. 633/1972 as amended

–        Presidential Decree no. 600/1972 as amended

–        Code of Ethics of the Data Controller

Fulfilment of economic-financial and corporate reporting obligations

 

Your data may also be collected from third parties such as:

  • other data controllers, e.g. Group companies to which the Data Controller belongs.
  • IT services provider;

and the data concerning you can be obtained by consulting:

  • lists kept by public bodies or equivalent or under the control of public authorities on the basis of specific national legislation;

 

2) for communication to third parties and for dissemination

 

Purpose

Legal basis

communication to third parties such as:

–  Group companies to which the Data Controller belongs

– Any suppliers involved in administrative and accounting management

IT consultants

– Public entities

 

Performance of contractual and pre-contractual activities

 

Fulfilment of contractual obligations

 

Fulfilment of legal obligations, including those dependent on:

–        Presidential Decree no. 633/1972 as amended

–        Presidential Decree no. 600/1972

Fulfilment of obligations dependent on:

       –

Fulfilment of transparency and economic-corporate reporting obligations

 

The Data Controller does not transfer your personal data abroad (non-EU countries). Your personal data may be disseminated and disclosed through the websites of the Data Controller where, if necessary, lists of suppliers and consultants are published in application of the Code of Ethics and the obligations of transparency and economic-corporate reporting.

 

The communication and dissemination concern the categories of data whose transmission and/or disclosure is necessary for the performance of the activities and purposes pursued by the Data Controller in the management of the relationship established. The relative processing does not require the consent of the data subject in the event that it is carried out in relation to legal obligations or to fulfil the obligations deriving from the contractual relationship or in the event of other cases of exclusion (in particular application of the provisions referred to in to the Code of Ethics and/or legitimate interest of the Data Controller), expressly provided for or dependent on the legislation and regulations applied by the Data Controller, or also through third parties identified as data processors; 

 

3) for IT security activities

 

Purpose

Legal basis

– control and monitoring of the services displayed on the network and on the platforms pertaining to the Data Controller and made available to you also as part of the activities carried out on behalf of the Data Controller (access to the reserved area, websites, mailbox, management of the systems in use, etc.)

 

– implementation of procedures for detecting and reporting personal data breaches (data breaches)

Carrying out activities dependent on the relationship established

 

Fulfilment of legal obligations (detection and notification of data breaches)

 

Legitimate interest

 

How, where and for how long is your data stored?

 

How?

Data processing is carried out through hard-copy or IT procedures by specifically authorised internal parties. They are allowed access to your personal data to the extent and to the limits necessary to perform the processing activities that concern you.

The Data Controller periodically checks the tools through which your data are processed and the security measures envisaged for them, which require constant updating; it checks to ensure, including through the parties authorised to process the data, that personal data that do not need to be processed are not collected, processed, archived or retained; it checks to ensure that the data are retained with the guarantee of completeness and authenticity and they are effectively used for the purposes of the processing.

The Data Controller guarantees that the data that, even as a result of the checks, are excessive or irrelevant will not be used except for the possible retention, in accordance with the law, of the legal instrument or document that contains them.

 

Where?

The data are stored in hard copy, computer or electronic archives, located within the European economic area, and specific security measures are ensured. Your personal data may be transferred to the following non-EU countries – with full assurance of the guarantees provided for by European legislation:

 

– USA, existence of adequacy decision, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016, pursuant to Directive 95/46/EC of the European Parliament and of the Council, on the adequacy of the protection offered by the regime of the EU-US Privacy Shield [notified under number C (2016) 4176].

– MEXICO: existence of standard contractual clause no. 27 December 2004 no. 50071/2004.

– TURKEY: existence of standard contractual clause no. 27 December 2004 no. 50071/2004.

– RUSSIA: existence of standard contractual clause of 5 February 2010 no. 2010/87.

– CHINA: existence of standard contractual clause of 5 February 2010 no. 2010/87.

 

 

How long?

Your personal data are kept for the time necessary to carry out the activities related to the management of the contract that you have entered into with the Data Controller and for the obligations, including legal, that follow.

 

In particular:

identifying data and data relating to the management of the relationship

 

Duration of the contractual relationship

This is subject to:

–  termination of the contract (for any reason)

– the purposes that continue beyond the termination of the contract (e.g. keeping accounts, art. 2220 of the Italian Civil Code)

–  the limitation periods: from five to ten years from the termination of the relationship and in any case from when the rights that depend on it can be exercised (articles 2935, 2946 and 2947 of the Italian Civil Code)

This is also subject to any dispute if it involves an extension of the aforementioned terms, for the time necessary to pursue the related purpose

IT data (access logs to systems and to the network and/or IP addresses)

The duration of the retention period depends on the presumed and/or detected risk and the resulting negative consequences, subject to the measures taken to make the data anonymous or to restrict their processing.

In any case, the data must be kept (starting from the knowledge/detection of the dangerous event or data breach) for the time necessary to notify the supervisory authority of the breach of the data detected through the procedures implemented by the Data Controller and in any case to remedy it

 

 

Once there is no longer a reason giving the right to retain your personal data, the Data Controller will delete them or render them anonymous.

 

What are your rights?

The rights granted to you allow you to always have control over your data. Your rights are those of:

  • access;
  • rectification;
  • erasure;
  • restriction of processing;
  • objection to processing;
  •  

In essence, you, at any time, for free and without specific duties or formalities regarding your request, can:

  • obtain confirmation of the processing carried out by the Data Controller
  • access your personal data and find out about their origin (when the data are not obtained from you directly), the purposes and scope of the processing, the data of the parties to whom they are communicated, the retention period of your data or useful criteria to determine it;
  • update or rectify your personal data so that they are always precise and accurate;
  • delete your personal data from databases and/or archives, including backups if, inter alia, they are no longer necessary for the purposes of the processing or if this is assumed to be unlawful, and always if the conditions set out under the law apply; and in any case if the processing is not justified by any other equally legitimate reason;
  • restrict the processing of your personal data in certain circumstances, for example where you have contested the accuracy, for the period necessary for the Data Controller to verify their accuracy. You must also be informed, in a reasonable time, of when the suspension period has been completed or the cause of the restriction of the processing has ceased, and therefore the limitation itself has been revoked;
  • obtain your personal data, if their processing takes place on the basis of a contract and with automated tools, in electronic format also in order to transmit them to another data controller.

The Data Controller must do so without delay and, in any case, at the latest within one month of receiving your request. The deadline may be extended by two months, if necessary, taking into account the complexity and number of requests received. In such cases, the Data Controller will inform you of the reasons for the extension within one month of receiving your request.

For any further information and in any case to send your request, please write to privacy@sisma.com.

 

How and when can you object to the processing of your personal data?

For reasons relating to your particular situation, you can object to the processing of your personal data at any time if it is based on legitimate interest, by sending your request to the address privacy@sisma.com.

You have the right to have your personal data deleted if there is no legitimate reason overriding the one that gave rise to your request.

 

How can you lodge a complaint?

Without prejudice to any other administrative or judicial action, you can lodge a complaint with the data protection authority, unless you reside or carry out your work in another Member State. In the latter case, or in that in which the breach of the legislation on the protection of personal data takes place in another EU country, the supervisory authorities in the country of residence shall be responsible for receiving and dealing with the complaint.

 

Any update of this privacy statement will be communicated to you promptly and by appropriate means and will be communicated to you before proceeding and in time to give your consent if necessary.