Article 13 EU Regulation 2016/679
The data Controller is Pugi R.G. S.r.l., VAT No. 00275500973, with registered office in Viale Guglielmo Marconi 50/15, 59100 Prato (PO), IT, and headquarters in Via Garibaldi, 33B, 51037 Montale (PT), IT, Tel. +39 0573/557701, Fax +39 0573/557705, Email firstname.lastname@example.org, Certified Email Address email@example.com
With reference to its customers and suppliers as natural persons, the Controller will process only common data including, by way of example but not limited to: name and surname, address, Tax code number, VAT number, telephone number, e-mail address, bank details necessary to execute and/or receive payments, products and services purchased or sold.
However, referring to customers and suppliers as legal persons, some of their data referred to natural persons indicated as legal representatives or contact persons, may be processed. Even in this case only common data will be processed, in particular the contact data necessary for communications (for example, personal telephone number or e-mail).
The data belonging to the special categories set forth in article 9 of EU Regulation 2016/679 (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data relative to health or sex life or sexual orientation of the person), as well as those relative to criminal convictions and offences set forth in article 10 EU Regulation 2016/679, will not be processed.
Purposes and criteria for lawful processing
The above-mentioned personal data are processed for the following purposes:
– Allow the execution and correct performance of the contracts with customers and suppliers
All the data necessary for the performance of the contract, such as name and surname of the customer or supplier, delivery address, and products or services purchased, are processed for the above-mentioned purpose. Moreover, for the purpose mentioned above, the consent of the person concerned is not required. The lawfulness of the processing is based on the need of this latter to perform the contract, pursuant to article 6, letter b) EU Regulation 2016/679.
– Allow the fulfilment of accounting and fiscal law obligations
Data such as name and surname, address, Tax Code Number, VAT Number, products or services purchased are processed for the above-mentioned purpose. Moreover, for the purpose mentioned above, the consent of the person concerned is not required. The lawfulness of the processing is based on the need of this latter to fulfil accounting and fiscal law obligations, pursuant to article 6, letter c) EU Regulation 2016/679.
– Allow the sending of e-mail communications for direct marketing
The processing purpose concerns exclusively customers and not suppliers. The e-mail addresses provided by the person concerned for the sale of a product or service (associated to the name and product or service purchased), or to promote the sale of products/services similar to those object of the sale, are processed for the above-mentioned purpose. The lawfulness of the processing is based on the legitimate interests of the Controller pursuant to article 6, letter f, EU Regulation 2016/679, on the basis of the balancing of interests carried out by the Data Protection Supervisory Authority with resolution No. 330 of 4 July 2013 (Guidelines on Marketing and against Spam). The person concerned can refuse, at any time, this processing.
The refusal to provide the data necessary for the execution of the contract and the fulfilment of law obligations implies the impossibility to execute the contract.
External data processors
The Controller may entrust some personal data processings to external subjects (such as, consultants, certified accountants, attorneys, hosting providers, cloud computing services suppliers, maintenance technicians of information system, marketing agencies, etc.) both legal persons and natural ones, ensuring, even contractually, that the utmost confidentiality about personal data and their processing in compliance with the guarantees and safety measures set forth in EU Regulation 2016/679, are observed.
Subjects authorised to the processing
The personal data of customers and suppliers are processed by the Controller through its dependents. These latter are expressly authorised to the processing and they have been duly instructed on the protection and confidentiality of personal data. In the event that some personal data is entrusted to external subjects, the Controller will instruct them pursuant to article 29 of EU Regulation 2016/679 in order to ensure the observance of confidentiality and privacy obligations.
Other recipients of personal data
In order to allow the Controller to fulfil its fiscal obligations, some data can be transferred to the local Tax Authority.
In order to allow the coverage of the risks to the Controller, some personal data may be communicated to insurance companies.
The Controller may communicate the personal data of the person concerned to public authorities in case of law obligation or order of a judge.
Customers and suppliers’ personal data can be processed both through electronic file and paper ones. Specifically, customers and suppliers’ data are processed through a company management software and stored in the company in-house server.
The Controller has the obligation to arrange adequate measures for the protection of its own customers and suppliers’ personal data, proportionally to the level of risk they imply.
Duration of the processing
The personal data necessary or functional to the execution of a contract will be stored for the entire duration of the same contract and, however, as long as said purpose exists.
The e-mail address can be stored, together with the name and surname of the person concerned and the product or service purchased, for an additional period of 24 months from the termination of the contract, in order to communicate information relative to the services already purchased. However, the customers and suppliers’ contact data are stored for 24 months from the termination of the last contract. This storage time is considered adequate since it does not affect significantly the rights of the persons concerned and satisfies the legitimate interest of the Controller who does not have to re-enter the contact data in its database every time. Anyhow, the person concerned is free to request the cancellation of said data at anytime.
The personal data necessary for the fulfilment of fiscal and accounting obligations are stored, in digital format and/or paper format, for 10 years, in compliance with law obligations.
The personal data necessary for the fulfilment of fiscal and accounting obligations are instead stored, in digital format and/or paper format, for 10 years, in compliance with law obligations set forth in article 2220 Civil Code.
Rights of the person concerned
With reference to the processing described above, the person concerned has the following rights.
The person concerned has the right to ask the Controller, at anytime, to be informed about his/her own personal data processed by the same Controller, pursuant to article 15 of EU Regulation 2016/679
The person concerned has also the right to request the correction of his/her own data in case they are incorrect, as well as to integrate the incomplete ones, pursuant to article 16 of EU Regulation 2016/679.
The person concerned has the right to the cancellation of the data that are no longer necessary for the purpose for which they were processed, those processed with his/her consent if the consent is withdrawn, those unlawfully processed, etc. For the other cases for which cancellation can be obtained, the person concerned can refer to article 17 of EU Regulation 2016/679.
The person concerned has the right to obtain a limitation to the processing of his/her own data for the cases described in article 18 of EU Regulation 2016/679, data portability for the cases described in article 20 of EU Regulation 2016/679, as well as the right to object the processing of his/her own data for the cases described in article 21 of EU Regulation 2016/679.
In the event that the person concerned considers that a violation in the processing of his/her own data has occurred, he/she has the right to lodge a complaint to the Data Protection Supervisory Authority.
The cancellation request or objection to the processing of the data necessary for the execution of the contract may imply the impossibility of the Controller to perform it. The person concerned cannot object the processing or request the cancellation of the data that the Controller has to process in order to fulfil the accounting and fiscal obligations, as well as other law obligations.
For any communication, request, or to exercise his/her own rights relative to the personal data processing, the person concerned may refer to the data Controller using the contact data reported above.