PURSUANT TO ART. 13-14 OF THE REGULATION (EU) 2016/679
We inform you, pursuant to Art. 13-14 of the Regulation (EU) 2016/679 on the protection of personal data (“GDPR”) that your personal data could be processed according to the current legislative and contractual provisions.
In relation to the above, we inform you that:
The Data Controller, that is whoever determines the purposes and means of the processing of personal data, is the IMA Group company with which your company has a contractual relationship (hereinafter “Company” or “Data Controller”).
The updated list of the IMA Group companies is available at the following website: https://ima.it/it/il-gruppo-ima/societa-del-gruppo-ima/.
You can request all the details regarding the Data Controller identification data by sending an email to: firstname.lastname@example.org.
The IMA Group companies have appointed a data protection officer (“DPO”) who can be contacted to obtain clarifications on the processing of your personal data.
In particular, the Italian companies of the IMA Group has appointed the following DPO:
Alberto Bertuzzo Pirola Pennuto Zei & Associati
Via delle Lame 109
40122 Bologna (Italy)
Tel.:+39 051 526711
other European companies of the IMA Group has appointed the following DPO:
Am Kochenhof 12
Phone: +49 (0) 711 / 258560-0
Personal Data Processed.
For purposes described in paragraph 3 below, the Company collects and processes “contact” personal data (name, surname, email address, telephone number, position and company) of the Contact Personnel within its suppliers (“Personal Data”).
Moreover, during the qualification procedures of its suppliers, the Company may gain knowledge of identification Personal Data and data related to the position covered by the Contact Personnel within the supplier for purposes connected to the operational management of the commercial relationship.
At any time, you can verify that the Personal Data processed for the purposes as per this information are correct and, should they be changed, you can request the update of this data, by sending an email to email@example.com or by registered post to the Company’s headquarters.
Purposes of the processing and legal basis.
The collection and the processing of your Personal Data is carried out without your consent.
Indeed, your Personal Data are processed pursuant to Art. 6 para. 1 letters b), c) and f) of the GDPR for the following purposes:
the collection of information, supplier qualification procedures and pre-contractual negotiations;
the performance of the contract;
the organizational and commercial management of contracts entered into with you;
the fulfilment of any legal and/or regulatory obligations in the civil, tax and accounting fields and other regulations, which may be applicable to the supply relationship;
the protection of the rights of the Company or the IMA Group, both in court and out-of-court proceedings;
audits to ensure compliance of the corporate management systems with standards as provided for by certifications acquired by the Company (i.g. UNI EN ISO);
internal statistical analyses;
to satisfy any request you may have;
management and organizational purposes.
The processing of your personal data for the purposes mentioned above has its legal basis on:
6, para. 1 lett. b) of the GDPR – processing is necessary for the performance of a contract or in order to take steps at your request prior to entering into a contract – with regard to lett. a), b) and c) above;
6, para. 1 lett. c) of the GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject – with regard to lett. d) above ;
6, para. 1 lett. f) of the GDPR – processing is necessary for the purposes of a legitimate interests pursued by the controller – with regard to lett. e), f), g), h) and i) above.
We hereby remind you that you can object to the processing at any time by contacting the Company as per in paragraph 8 below, except in the event that the Company demonstrates the existence of prevailing, compelling, legitimate grounds for the exercise or the defence of a right, pursuant to Art. 21 of GDPR.
Nature of the provision of Personal Data.
In general, the provision of Personal Data and their processing is obligatory; indeed should you refuse to supply your data (or your desire to request their erasure), means that is impossible for the Company to enter into and proceed with the contractual relationships.
Means of data processing.
The processing by the Company of your Personal Data shall be based on principles of correctness, lawfulness, transparency and protection of your privacy and your rights, in accordance with the principles expressed by the GDPR.
Your Personal Data may be processed by paper-based or IT instruments and it shall include – in compliance with the limits and conditions laid down by the privacy legislation – all the operation or set of operations necessary for the processing at issue, including communication to subjects as per para. 6 below. The processing of Personal Data shall be carried out in compliance with confidentiality and security rules provided by European regulations, by law, and other national provisions.
Processing of your Personal Data is achieved by means of the operations described in Art. 4 no. 2 GDPR, that are: collection, recording, organisation, structuring, updating, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, comparison, alignment, restriction, erasure or destruction.
The Company guarantees the logical and physical security of the Personal Data and, in general, the confidentiality of the Personal Data processed, implementing all the appropriate technical and organisational measures required to avoid the loss of Personal Data, the unlawful use or, in any event, the incorrect use of the same, and unauthorized access by third parties.
Categories of personal data recipients.
Your Personal Data shall not be disclosed, but the Company could, for the purposes described in Art. 3 above, communicate them to:
employees and collaborators of the Data Controller, who shall act in their capacity as authorized data processing personnel; other IMA Group companies and/or consultants appointed by the Data Controller who need to process the Personal Data for the performance of their duties;
third parties who carry out outsourcing activities on the behalf of the data controller, providing specific services as data processors pursuant to Art. 28 GDPR (“Data Processor”). For information on the names and other details of the Data Processors, you can contact the Data Controller to the following address: firstname.lastname@example.org or by mail to the Company headquarters;
banks for the management of collections and payments from the execution of the contract;
law firms, consulting companies or third companies for the defence of legal claims, for the protection of rights or for the recovery of credits;
members of control bodies, such as the Board of Statutory Auditors, the Vigilance Body pursuant to Legislative Decree 231/2001, independent auditors and other internal or external auditors in charge of carrying out checks and inspections on behalf of the Company;
judicial or supervisory authorities, public administrations, public (national or foreign) bodies, in compliance with the provisions of the law and conforming to a previous formal request from such subjects.
The third parties as above to which the Company shall communicate your Personal Data shall process them in their role as Data Processors, expressly appointed by the Company pursuant to Art. 28 of the GDPR or as autonomous data controller.
The Personal Data collected by the Company shall not be disseminated, without prejudice to the communications provided by laws.
It is understood that, in the event of any extraordinary corporate transaction (e.g. sale or lease of a company, merger, etc.) concerning the Company, the Personal Data may be transferred or communicated to third parties purchasers/lessee or others, entitled by the Company.
Personal Data Storage Period.
Your Personal Data shall be stored for the period of time strictly necessary for the purposes of the data processing indicated in para. 3 above and, in any event, for no longer than 10 years from the termination of the contractual relationship and, anyway, no later than the terms established by law for the prescription of the rights.
With regard to the Personal Data processed for the purpose indicated in para. 3 lett f), the storage period is 2 years from the termination of the audits activities.
At the end of the aforementioned periods Personal Data shall be erased.
Rights of the Data Subject.
With reference to your Personal Data you can exercise, at any time, the rights pursuant to the GDPR as indicated below:
Right of Access pursuant to Art. 15: obtain confirmation as to whether or not Personal Data concerning you are being processed, and, where that is the case, access to the following information: thepurposes of the processing, the categories of Personal Data concerned, the recipients to whom the Personal Data have been or will be disclosed, the envisaged period for which the Personal Data will be stored, the right to lodge a complaint with a supervisory authority, the existence of the right to request from the controller rectification or erasure of Personal Data or restriction of processing of Personal Data concerning the data subject or to object to such processing and the existence of automated decision-making;
Right to Rectification pursuant to Art. 16: obtain from the controller, without undue delay, the rectification of inaccurate Personal Data concerning you and the right to have incomplete personal data competed;
Right to Erasure pursuant to Art. 17: obtain from the controller, without undue delay, the erasure of Personal Data concerning you;
Right to Restriction of Processing pursuant to Art. 18:‘restriction of processing’ means the marking of stored Personal Data with the aim of limiting their processing in the future. This will imply the responsibility on the part of the Company to suspend the processing of your Personal Data;
Right to Data Portability pursuant to Art. 20:in the event of automated processing carried out in execution of a contract or on the basis of the explicit consent, to receive your Data in a structured, commonly used and machine-readable format;
Right to Object pursuant to Art. 21: object to the processing of Personal Data concerning you, unless the controller demonstrates compelling legitimate grounds for the processing;
The Company, moreover, informs you that it is possible to lodge a complaint pursuant to Art. 77with the competent supervisory authority based on your residence, workplace or place of infringement of your rights.
You may exercise your above listed rights by means of a request to be sent by email to email@example.com or by registered post to the Company Headquarters.
Requests relating to the exercise of your rights shall be processed without undue delay and in any event within 30 days from the receipt of the request.
Finally, we inform you that the Company reserves the right to modify or update this information also in order to comply with new obligations imposed by laws or for technical reasons.