This information is provided in compliance with Articles 13 and 14 of the EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”) to the persons affected by the processing of their personal data underlying the supply and/or collaboration relationship in place with them.

This document explains the purposes and methods by which your personal data are processed, what personal data are processed, what rights the data subjects have and how these rights can be exercised.

1.      Data Controller and Data Protection Officer

Pursuant to Article 4 of the GDPR, the data controller of your personal data referred to in this information notice is the Engineering Group Company with which you or your company entertains the contractual relationship of supply and/or collaboration (“Data Controller”). The corporate and contact details of each Engineering Group Company are set out in Annex 1 at the end of this document.

The Data Controller has appointed a Data Protection Officer or “DPO”, who can be reached at the following e-mail address: dpo.privacy@eng.it.

2.      Categories of personal data processed

The Data Controller shall collect and process personal data of a common nature directly related to the supplier or to relevant persons within the supplier’s structure, such as collaborators, employees and/or contact persons of the supplier.

The data collected and processed are personal data (first name and surname), contact data (telephone number, e-mail address) and financial data of the persons concerned in their capacity as contact persons in the execution of the supply and/or cooperation relationship, exclusively to the extent that such data are necessary for the proper conduct of said relationship.

In the case of the supply and provision of services within the scope of public contracts, in compliance with the provisions of the applicable procurement regulations and for the purpose of ascertaining the requirements of good repute, subjective requirements and disqualification prerequisites, judicial data (e.g. criminal record certificate, certificate of pending charges, etc.) will also be collected and processed.

3.      Purpose of processing and legal bases

The Data Controller will process your data for the execution of supply contracts, for internal supplier management and quality control, and for the purpose of fulfilling the legal obligations incumbent on the Data Controller.

Your personal data will be processed:

a.      for the purposes of the performance of the contract to which the data subject is party or the execution of pre-contractual measures taken at the data subject’s request [Art. 6(1)(b) GDPR];

b.      for the purposes of carrying out due diligence activities, prior to the establishment of a relationship with the Controller and/or the insertion, updating or monitoring of the supplier’s data base, either for the purposes of carrying out pre-contractual measures [Art. 6(1)(b) of the GDPR], or for the purposes of complying with legal obligations incumbent on the Controller (e.g. accounting and tax, anti-money laundering, procurement, health and safety at work, etc.), as well as for the purpose of fulfilling legal obligations incumbent on the Data Controller (e.g. accounting and tax, anti-money laundering, procurement, health and safety in the workplace, for the purpose of ascertaining the requirements of good repute, as well as relating to Model 231 and the Data Controller’s Code of Ethics) [Art. 6(1)(c) of the GDPR];

c.      for the internal management of suppliers, the improvement and enhancement of sustainability and the value chain, as well as for the control of their quality and performance, therefore in the pursuit of the legitimate interest of the Owner to monitor the fulfilment of the obligations undertaken, the suitability of the supplier and its commitment to the latest business and sustainable development standards, as well as to know the close relationships of suppliers in order to prevent conflicts of interest and unethical uses of the work position for personal gain, with the aim of complying with internal procedures and the Code of Ethics [art. 6(1)(f) of the GDPR];

d.      for the purpose of communication and management of events conceived and/or proposed by the Controller (e.g. sending of communications relating to events, publication of information), in pursuit of the legitimate interest of the Controller in ensuring the effective management of events that aim to engage the Controller’s supply chain on topics of various interests (e.g., social) [Art. 6(1)(f) of the GDPR];

e.      to ascertain, perform data and Network security audits and to prevent and counter possible computer crimes, thus in pursuit of the legitimate interest of the Data Controller to maintain the protection of internal IT systems and apply adequate security measures, as well as to assert, exercise or defend a right in court [Art. 6(1)(f) GDPR];

f.        for the purpose of sending commercial and/or promotional communications to the data subject concerning products and/or services offered by the Data Controller with respect to which the recipient has given his/her consent [Art. 6(1)(b) GDPR]. Consent may be revoked at any time resulting in discontinuing the performance of said commercial and promotional activities through communication to be sent to dpo.privacy@eng.it;

g.       to carry out market research, statistical analysis and related services, thus in pursuit of the legitimate interest of the Controller to ensure the possibility of conducting and improving its business [Art. 6(1)(f) GDPR].

The provision of your personal data for the purposes a), b) and e) is mandatory. Failure to do so will make it impossible for the Data Controller to establish business relations with the supplier in whole or in part and/or execute the relevant contract.

4.      Data processors and authorized persons

The Data Controller will share your personal data with its employees and collaborators specifically identified and instructed by a written deed pursuant to Article 29 of the GDPR (“Authorized Persons”), who will process them, under the authority of the Data Controller, exclusively for the purpose of performing their respective work duties.

Your personal data may also be shared with third parties, appointed as data processors by the Data Controller in writing pursuant to Article 28 of the GDPR, or, where required by applicable law, as autonomous data controllers.

With reference to these categories of third-party recipients, it is specified that your data may be shared with public authorities if this is required by law or by order of the competent authorities.

5.      Transfer of data outside the EU

In pursuit of the above-mentioned purposes, some of your personal data may be shared with recipients located outside the European Union/European Economic Area. In such circumstances, the Data Controller ensures that the transfer of such data takes place in compliance with the provisions of Chapter V of the GDPR (Transfers of Personal Data to Third Countries or International Organisations), therefore on the basis of an adequacy decision of the European Commission pursuant to Article 45 GDPR or, failing that, with the adoption of the appropriate safeguards referred to in Article 46 of the GDPR, such as the Standard Contractual Clauses in the latest version published by the European Commission.

6.      Data Retention Periods

Your personal data will be stored, with logic strictly related to their security and to the resilience of the systems used for their processing, for the time strictly necessary to achieve the purposes for which they were collected. In particular, the storage and processing of your data will be carried out in full compliance with the principles of data minimisation and storage limitation pursuant to Article 5 of the GDPR.

Contact data processed for the purpose of conducting promotional activities on the basis of your consent will be processed for twenty-four (24) months from the date the consent was given, unless revoked. This period may be extended by the data subject renewing consent to the processing for this purpose.

In addition, the Controller may keep your personal data for a further period to fulfil contractual and legal obligations applicable to it and, where necessary, to assert, exercise or defend its own rights in and out of court, in any case for the maximum period permitted by the law in force at the time.

7.      Data subject’s rights

Pursuant to current legislation, you have the following rights.

• Access: you have the right to access at any time the data concerning you that are available to the Data Controller, as well as any useful information concerning the processing carried out by the latter;
  
• Rectification: you have the right to obtain the rectification and/or correction of inaccurate data concerning you that is available to the Controller;
  
• Deletion: in the event of specific reasons, you have the right to request and obtain, without undue delay, the deletion of your data in the possession of the Controller;
  
• Restriction: in special cases, you have the right to have the processing of your data restricted;
• Portability: in the event of automated processing of data based on your consent or the performance of a contract, you have the right to receive, in a structured, commonly used, and machine-readable format, your personal data provided to the Controller, as well as the right to transmit such data to another controller without hindrance;
• Objection: you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on the pursuit of the legitimate interests of the controller, unless the controller proves the existence of compelling legitimate grounds that override your interests, rights and freedoms;
  
• Automated decision-making: you have the right not to be subject to a decision based solely on automated processing of your data, including profiling, where such a decision significantly affects you.
  

You may exercise your rights, in the manner set out in Article 12 of the GDPR and within the limitations set out in Article 23 of the GDPR, by writing to the Controller’s contact details set out in this notice or to the DPO’s address: dpo.privacy@eng.it.

Without prejudice to any other administrative or judicial remedy, you are also guaranteed the right to lodge a complaint with the competent supervisory authority where you believe there has been a violation of your data protection rights. Further information is available at https://www.garanteprivacy.it.