SUPPLIER PRIVACY NOTICE

SUPPLIER PRIVACY NOTICE

pursuant to Art. 13 of EU Regulation 2016/679

 

PRIVACY NOTICE
This Privacy Notice provides a clear and transparent description of the information we collect and process under the agreement entered into with our Suppliers in compliance with the EU General regulation on the protection of natural persons with regard to the processing of personal data (hereinafter GDPR or Regulation).

Who is the Data Controller?
The Data Controller (hereinafter the Controller) is the company GTS S.p.a., with registered office in Genoa (GE), Via G. D’Annunzio, 2/75, with which the supplier entered and/or may enter into an agreement. The Company is part of the Quiris Group, and it adopted the same data protection technical-organisational measures and best practices as the Group. The Controller is available at the e-mail address privacy@gtsspa.com, or at the telephone numbers provided in the section “Contact us” of the website www.gtsspa.com.

What are personal data and what data do we process?
“Personal data” means any information suitable for identifying, directly or indirectly, a natural person, in this case being our Supplier (i.e. the Data Subject).
In particular, we collect and process the following personal data:

  • identification and personal details (e.g. name, surname, date and place of birth, tax code);
  • identification information of employees/contractors involved in the activities referred to in the agreement entered into with the Group’s Company(s);
  • contact details of the legal representative and of his/her collaborators (e.g. residential address, telephone number, e-mail address);
  • in general, any other data or information necessary to enter into and perform the agreement (e.g. VAT number, bank account(s) details etc.).

What are the purposes and legal basis for the processing?
The Controller collects and processes personal data (hereinafter also “data”):

  1. for the purposes necessary both for pre-contractual activities and for the management and execution of the agreement entered into (e.g. administrative and accounting activities), pursuant to Art. 6.1 b) of the GDPR;
  2. in order to fulfil the legal obligations (e.g. administrative, accounting and tax obligations) imposed on the Controller and to comply with requests made by the Authorities, pursuant to Art. 6.1 c) of the GDPR;
  3. in order to enforce the Controller’s rights in case of any dispute, for instance the right to defence in legal proceedings, pursuant to Art. 6.1 f) of the GDPR.

The provision of personal information for the aforesaid purposes is essential for the management and performance of the contractual relationship and does not require prior consent. Failure to provide said information shall result in the impossibility to enter into/or continue the contractual relationship.

How do we process data?
We process data for the above said purposes both by automated means, on electronic or magnetic media, and by non-automated means, in paper form. Please note that the Controller does not perform totally automated decision-making processes.

How long do we retain personal data?
Data shall be retained for the entire duration of the agreement and as long as the obligations or requirements related to its performance exist, and however up to 10 years after the cessation of the contractual relationship in order to comply with legal obligations and to meet requirements connected to the enforcement of the Controller’s right to defence.
After the above deadlines, data shall be erased or anonymised permanently and irreversibly.

To whom do we disclose personal data?
We disclose data only to individuals we engage with in order to perform the activities necessary for the achievement of the aforesaid purposes and who act as independent data Controllers or who have been appointed as data Processors pursuant to Art. 28 of the GDPR, including, without limitation, the following entities:

  • companies or other third parties carrying out outsourced activities on behalf of the Controller (for instance: credit institutions, professional offices, consultants, legal audit firms, external companies providing insolvency risk prevention and control services as well as fraud control and credit protection services, entities dealing with credit recovery, both judicial and extra-judicial);
  • public authorities, supervisory authorities or judicial authorities for the fulfilment of legal obligations;
  • affiliates or subsidiaries of the Group, when it is necessary in order to achieve the aforesaid purposes.

Where do we transfer your data?
GTS shall carry out the processing within the European Economic Area (EEA). However, in some cases your data may be transferred to third countries where the suppliers of platforms/services/SW products engaged by the Group are based. If for said third parties there are no adequacy decisions or international agreements in place, the guarantee for the transfer shall be based on the Standard Contractual Clauses approved by the European Commission.

What are your rights as Data Subject?
With regard to the aforesaid processing, you can exercise your rights set out in Articles from 15 to 22 of the EU Regulation 2016/679.
In particular, in the cases provided for by the Regulation, Data Subjects are entitled to request the Controller to grant them access their data (Art. 15 GDPR) as well as to rectify (Art. 16 GDPR) or erase their data (Art. 17 GDPR), they are also entitled to object to the processing (Art. 17 GDPR) or to request restriction of processing (Art. 18 GDPR) and to obtain their data in a structured, commonly used and machine readable format (Art. 20 GDPR). You can also withdraw your consents pursuant to Art. 7 of the Regulation (Art. 21 GDPR).
The aforesaid rights may be enforced against the Controller, by writing to privacy@gtsspa.com or by using its contact details provided at the beginning of this notice.
Pursuant to the applicable regulation, if they believe that their personal data are processed in breach of the regulation in force, Data Subjects may also file a complaint with the Data Protection Authority pursuant to Art. 77 of the Regulation or refer the matter to the Judicial Authority pursuant to Art. 78 of the GDPR.

Amendments to our Privacy Notice
The Data Controller reserves the right to amend and/or implement this notice, also as a result of changes in legislation following the pre-contractual or contractual relationship entered into with you, or as a result of recommendations, general authorisations, guidelines, or additional guarantee measures specified. The updated version of this notice as of the date provided below is vailable in our website.

Last updated on 10.10.2024
The Controller
GTS SPA