PRIVACY POLICY

PRIVACY POLICY FOR THE PROCESSING OF PERSONAL DATA

pursuant to art. 13 of EU Regulation no. 679/2016, implemented by Legislative Decree no. 101/2018

Dear Customer/Supplier,

We would like to inform you that the processing of your personal data, acquired through our contractual relationship, will be conducted fairly and transparently, for lawful purposes, and in full compliance with the applicable regulations, ensuring the protection of your privacy and rights.
Consequently, in accordance with article 13 of the European Regulation no. 679/2016 concerning the protection of personal data (hereinafter referred to as the GDPR), we are providing you with the following information:

1. Data source
Your personal data are collected in connection with:
a) visits or telephone calls;
b) proposed offers;
c) ) communications and transmissions following the submission of an order.

2. Data subject to processing
The personal data subject to processing include identification details, but do not involve special categories of data as defined by art. 9 of the GDPR. These may include your surname, first name, place of birth, tax code / VAT number, telephone and fax numbers, email address, residential address, payment methods and/or bank details, and any other personal data necessary to fulfil the contractual relationship.

3. Processing methods
Processing will be carried out using both manual and/or automated means, ensuring the security, protection, and confidentiality of your data. Measures will be in place to prevent loss, deterioration, or unauthorised access, as well as to facilitate data recovery within a reasonable time frame in the event of a breach.
The processing operations include collection, registration, organisation, structuring, retention, modification, retrieval, consultation, use, communication, comparison, interconnection, restriction, deletion, and destruction of data.

4. Purpose of processing
Your personal data will be processed for the following purposes:
a) exchange of information and facilitation of communications essential to the execution of the contract;
b) fulfilment of administrative, accounting, and tax obligations related to the contract;
c) management of disputes (breach of contract, legal warnings, settlements, debt collection, and arbitration, etc.);
d) compliance with obligations related to public order, crime detection, and law enforcement.

5. Legal basis for processing
The processing of your personal data is based on the following legal grounds:
a) execution of the contract stipulated between us;
b) compliance with national or EU legal obligations;
c) the legitimate interests of the Data Controller.

Specifically:
The legal basis for purpose a) is art. 6.1(b) of the GDPR, while that for purposes b), c), and d) are based on articles 6.1(c), 6.1(f), and 6.1(e) of the GDPR, respectively.

6. Mandatory or optional nature of processing
As your personal data are essential for the execution of our contract and for the Data Controller to meet its legal obligations, your express consent is not required for the processing of the data that you transmit to the Data Controller, which are lawfully acquired and processed in accordance with art. 6(b) of the GDPR.

7. Recipients of the personal data
The personal data collected will be processed to ensure the proper fulfilment of the contractual obligations, including all related administrative and accounting formalities. These activities will be carried out by:
the Data Controller, designated Data Processors, and authorised external Data Processors (including outsourced service providers) who have been strictly vetted and appropriately trained in accordance with art. 29 of the GDPR.
Your data will not be disclosed, but may be shared with regulatory authorities responsible for audits and compliance checks, as well as with other group companies, including parent, subsidiary, and affiliated entities.

8.Transfer of data to a Third Country
In the event of data transfers to Third Countries, including those that may not provide the same level of protection as the GDPR, processing will always be carried out in compliance with the conditions outlined under articles 44 et seq. of the Regulation.

9. Data retention period
Your personal data will be processed for as long as necessary to fulfil all obligations arising from our contractual relationship. After that, the data will be securely retained, without further processing, for the duration required by the applicable civil and tax laws

10. Rights of the data subject
In accordance with articles 15-22 of EU Regulation no. 679/2016, you may exercise the following rights at any time:

a) to request confirmation of whether your personal data is being processed and, if so, obtain access to that data along with all relevant processing information (right of access under art. 15 GDPR);

b) to request the prompt correction of inaccurate personal data and the completion of incomplete data, including by providing a
supplementary statement (right of rectification under art. 16 GDPR);

c) to request the deletion of your personal data without undue delay if: the data is no longer necessary for the purposes for which it was collected or processed; it has been processed unlawfully; deletion is required to comply with a legal obligation; or you have withdrawn consent or objected to processing (right to be forgotten under art. 17 GDPR);

d) to request the restriction of data processing under the following circumstances: if you contest the accuracy of your personal data, for the time necessary for verification; if the processing is unlawful and you oppose deletion, opting instead for restricted use; if the Data Controller no longer needs the data, but you require them to establish or defend a legal claim; or if you have objected to the processing, pending verification of whether the Data Controller’s legitimate interests override your own (right to restriction under art. 18 GDPR);

e) to receive your personal data in a structured, commonly used, and machine-readable format, and to transfer them to another Data Controller without interference by the Data Controller to whom they were provided (right to data portability under art. 20 GDPR);

f) to object to the processing of your personal data, either in whole or in part. If the data is processed for direct marketing purposes, you have the right to object at any time, including profiling activities related to such direct marketing. If personal data are processed for scientific or historical research or statistical purposes, you have the right to object to the processing based on reasons related to your particular situation, unless such processing is essential for carrying out a task in the public interest (right to object under art. 21 GDPR);

g) to revoke your consent at any time;

h) to lodge a complaint with the Data Protection Authority.

11. Data controller
To exercise any of the rights outlined above, you may contact the Data Controller, NATALE ZUFFINETTI s.r.l., by sending an email to info@zuffinetti.it or a registered letter with acknowledgement of receipt to the following address: Largo Fratelli Cervi, 2 – Vimodrone (MI) Italy 20055