LEGAL NOTE
CUSTOMER AND SUPPLIER PRIVACY NOTICE IN COMPLIANCE WITH REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 APRIL 2016 (“GDPR”)
This notice is given by ATERIAL S.r.l. to its customers and suppliers in compliance with articles 13 and 14 of the GDPR to inform them as to how the company processes their personal data.
1. The Controller
The Controller is ATERIAL S.r.l., a company incorporated under the laws of Italy, Registry of Companies of Bergamo, number, tax code and VAT 04371000169, with registered office in Bergamo (Italy), Via Goffredo Mameli n. 10 (hereinafter the “Controller”).
The Controller may be reached by sending him an email to admin@aterial.it, or a letter to Via Goffredo Mameli n. 10, Bergamo (Italy).
2. Categories of personal data, purposes and legal basis of the processing
2.1. Customers
A. Source of personal data
The Controller processes personal data that customers will give him, orally or in writing.
The Controller may also process customer’s personal data from public database, i.e. Registry of Companies.
B. Categories of personal data
The Controller processes the following categories of customer’s personal data.
Common data: name, surname and date of birth; residence and/or domicile; tax code; VAT; email address; information on financial standing.
Special categories of personal data: the Controller does not process personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Personal data relating to criminal convictions and offences: the Controller does not process personal data relating to criminal convictions and offences.
C. Purposes and legal basis of the processing
The purposes of the processing of customer’s personal data indicated in the paragraph above are the performance of a contract between the Controller and the customer, the negotiation of said contract and the compliance with the Controller’s legal obligations arising from said contract (i.e. tax obligations, etc.). The processing is lawfull because it is necessary to perform the contract to which the customer is a party, or to take steps at the request of the customer prior to entering into the contract, and it is lawful because it is necessary to comply with the Controller’s legal obligations.
The customer’s consent to the processing is not required, however, should the customer refuse to provide his personal data indicated above, the Controller would not be able to provide his services to the customer.
2.2. Suppliers
A. Source of personal data
The Controller processes personal data that suppliers will give him, orally or in writing.
The Controller may also process supplier’s data from public database, i.e. Registry of Companies.
B. Categories of personal data
The Controller processes the following categories of supplier’s personal data.
Common data: name, surname and date of birth; residence and/or domicile; tax code; VAT; email address; bank account and other banking details; information on financial standing.
Special categories of personal data: the Controller does not process personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Personal data relating to criminal convictions and offences: the Controller does not process personal data relating to criminal convictions and offences.
C. Purposes and legal basis of the processing
The purposes of the processing of supplier’s personal data indicated in the paragraph above are the performance of a contract between the Controller and the supplier, the negotiation of said contract and the compliance with the Controller’s legal obligations arising from said contract (i.e. tax obligations, etc.). The processing is lawfull because it is necessary to perform the contract to which the supplier is a party, or to take steps prior to entering into the contract, and it is lawful because it is necessary to comply with the Controller’s legal obligations.
The supplier’s consent to the processing is not required, however, should the supplier refuse to provide his personal data indicated above, the Controller would not be able to enter into the contract with the supplier.
3. Communication of data
Customer’s and supplier’s personal data may be communicated to recipients who provide their services to the Controller, provided that said recipients will protect the confidentiality of the data and process the data in compliance with the GDPR.
Consequently, personal data may be communicated to external service providers, tax advisors, IT providers who assist the Controller with the maintenance of his IT infrastructure, banks, insurances and legal advisors.
4. Transfer of personal data outside the EU/EEA
If the Controller transfers personal data to a country outside the EU or the EEA (hereinafter the “EEA”), he will only do so when at least one of the following conditions is met:
- The transfer is addressed to a non-EEA country or a non-EEA international organisation that has been identified by the European Commission as a country or international organisation that ensures an adequate level of protection;
- The transfer is protected by a contract that regulates the processing of personal data in compliance with the GDPR;
- The recipient is an undertaking that applies binding corporate rules approved by the competent supervisory authority; or
- The recipient is an undertaking in the United States of America that has been certified under the EU-US Privacy Shield.
5. How the processing is made and personal data is stored
The Controller advises that personal data is processed in compliance with the GDPR, by using manual, electronic and online means. The processing may also be carried out by automatic means that store, manage transfer the data.
Personal data is protected by technical and organisational measures that minimise risks of data breach, disclosure, loss and destruction.
Personal data will be stored for the entire duration of the contractual relationship with the data subject and for ten years after its termination, to allow the Controller to meet his legal obligations and carry out any legal actions.
6. Customer and supplier’s rights
Pursuant to articles 15 and followings of the GDPR, customers and suppliers are entitled to:
- demand access to their personal data and information related to them;
- demand the rectification of inaccurate data or completion of incompleted data;
- demand the erasure of their data;
- demand the restriction of the processing;
- object to the processing of their data at any time;
- demand and receive the personal data concerning them, which they have provided to the Controller, in a structured, commonly used and machine-readable format (data portability);
- lodge a complaint with a supervisory authority (https://www.garanteprivacy.it/web/guest/home_en).
The rights mentioned above are not absolute and are subject to various conditions provided by the GDPR, as well as to other laws that apply to the Controller.
The data subjects may exercise their rights by writing to the Controller as follows:
- Email: b1shop@progettostudio.legalmail.it
- Mail: ATERIAL S.r.l., Via Goffredo Mameli n. 10, 24126 Bergamo, Italy.
7. Automated decision-making
Personal data is not subject to any automated decision-making nor profiling.