Privacy notice to customers/suppliers

PRIVACY NOTICE TO CUSTOMERS/SUPPLIERS IN ACCORDANCE WITH ARTICLE 13 OF REGULATION (EU) 2016/679 (“GDPR”)

Dear Sirs, we would like to inform you that Regulation (EU) 2016/679 (the GDPR) sets out rules to protect persons and other data subjects regarding the processing of their personal data.

According to the aforementioned law, such processing must be based on the principles of correctness, legality, transparency and protection of your privacy and your rights.

In accordance with art. 13 of the aforementioned Regulation, we therefore provide you with the following information.

PERSONAL DATA PROCESSED, SOURCE OF THE DATA, PURPOSES OF THE DATA PROCESSING, LAWFUL BASES OF THE PROCESSING AND PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED

“Data” means any information relating to natural persons that is processed by Nastrotex-Cufra S.p.A. in order to set up and execute the contract with the company’s customers/suppliers, such as for example the data of the customer/supplier’s legal representative who signs the contract in their name and on their behalf, of the customer/supplier’s employees or consultants involved in the activities covered by the contract, the Data of companies belonging to the customer/supplier’s Group for which the representative signs the contract equipped with the necessary powers of representation, as well as any other information needed to execute the contract and/or to supply the service(s) (including those stated hereafter).

The source of the Data is the customer/supplier.

In particular, these Data will be processed for the purposes set out below.

A. To manage the contractual/commercial relationship, such as: satisfying the specific requests of the data subject before concluding the contract; concluding, modifying and executing the contract; supplying and managing the associated services; handling complaints.

The lawful bases of the processing are:

– Execution of the contract for the Data of the customer/supplier’s legal representative

– Legitimate interests for the Data of the customer/supplier’s employees or consultants involved in the activities covered by the contract.

Period for which the personal data will be stored: for the duration of the contract and for 10 years following its termination. In the event of a legal dispute, for its entire duration, until the period in which the appeal process can be brought has finished.

B. Administrative – accounting, such as: invoicing; handling payments, arrears and non-payments; for communicating the Data between companies within the Group, for internal organisational, administrative, financial and accounting purposes to do with the activities involved.

The lawful basis of the processing is the need to fulfil a legal obligation with which Nastrotex-Cufra S.p.A must comply.

Period for which the personal data will be stored: for the duration of the contract and for 10 years following its termination. In the event of a legal dispute, for its entire duration, until the period in which the appeal process can be brought has finished.

C. Fulfilling obligations or exercising rights provided for under national or European Union law or by collective contracts in conformity with national law, such as: Fulfilling obligations provided for by EC and national legislation, in particular by laws, regulations, including contingent and urgent provisions to maintain public order, investigate and fight crime.

The lawful basis of the processing is the need to fulfil a legal obligation with which the Data controller must comply.

Period for which the personal data will be stored: for the duration of the contract and for 10 years following its termination. In the event of a legal dispute, for its entire duration, until the period in which the appeal process can be brought has finished.

D. Extrajudicial credit recovery (for customers), such as: debt collection and protection, either directly or through third party agents (agencies/credit recovery companies) to which the data will be communicated solely for such purposes.

The lawful basis of the processing is legitimate interest.

Period for which the personal data will be stored: for the duration of the contract and for 10 years following its termination. In the event of a legal dispute, for its entire duration, until the period in which the appeal process can be brought has finished.

E. If necessary, to establish, exercise and/or defend the rights in a court of law.

The lawful basis of the processing is legitimate interest.

Period for which the personal data will be stored: for the duration of the contract and for 10 years following its termination. In the event of a legal dispute, for its entire duration, until the period in which the appeal process can be brought has finished.

F. Commercial/advertising information such as, by way of mere example, sending commercial/advertising messages, offers at the request of the customer/supplier and invitations to trade fairs by email.

The use of email addresses of customers/suppliers’ employees and collaborators given in association with the sale of a product or of a service for direct sales of the company’s own products or similar services, is permitted for the purposes of sending information and offers.

The legal basis of the processing is the execution of pre-contractual measures at the request of the interested party.

Period for which the personal data will be stored: the reference data (name, address and contact details) of customers/suppliers will be stored until a request for no further communication has been received, for a maximum period of 5 years.

G. Security, pursuant to Legislative Decree 81/2008. With particular reference to identification data that is freely given by guests or visitors to our offices (name, surname, company or association), the processing serves the sole purpose of ensuring compliance with the company’s official security procedures, including compliance with the legal provisions in force (e.g. maintaining the visitor database/register, assigning temporary recognition badges, fulfilling legal obligations on matters of safety in the workplace).

The lawful basis of the processing: the need to fulfil legal obligations with which the Data controller must comply.

Period for which the personal data will be stored: the Data will be stored for the time period specified by the law. Once the aforementioned storage period has elapsed, the Data will be destroyed or made anonymous, subject to the technical deletion and backup procedures.

TERRITORIAL SCOPE, PERSONS AUTHORISED TO PROCESS DATA

The Data may be communicated to external third parties acting as independent Data controllers, by way of mere example, authorities and supervisory bodies and in general public or private entities with legitimate reason to request the Data (e.g. banks and credit institutions; Local governments and other public authorities).

The Data may be processed, on behalf of the Data controller, by external persons appointed as Data processors, who carry out specific activities on behalf of the controller, by way of mere example, its distribution network, companies and agents engaged in credit recovery for the controller, legal, taxation and business consultants.

The Data may be processed by employees of company departments appointed to perform the aforementioned tasks who have been expressly authorised to process Data and who have received adequate training. The Data will not be transferred.

OPTIONAL CONSENT

Giving consent for the customer/supplier’s Data to be processed is optional, however, refusal to supply said Data could make it impossible to wholly or partially fulfil the contract or service to be provided.

Via S. Statale Soncinese, 2 – 24050 Covo (BG) – Italy

Tel. +39 0363 938167 – Fax +39 0363 93798 – www.nastrotex-cufra.it – email: info@nastrotex-cufra.it

VAT no. 01613040169 – Share Capital € 1,000,000.00 – BG Economic Administrative Index no. 223374

DATA CONTROLLER AND DATA PROCESSORS

The Data controller is Nastrotex-Cufra S.p.A., with registered office in Covo (BG) Via S.S. Soncinese, 2.

An up to date list of Data processors is available at the controller’s registered office.

RIGHTS OF THE DATA SUBJECT

By contacting the offices of Nastrotex-Cufra S.p.A. by email at privacy@nastrotex-cufra.it, the data subject may request access to the Data concerning him or her, as well as deletion, correction of inaccurate Data, the completion of incomplete Data, the deletion of Data, the restriction of the processing under the circumstances provided for by art. 18 of the GDPR as well as objecting, for reasons to do with their own situation, to the processing carried out in the legitimate interests of the Data controller.

Furthermore, where the processing is based on consent or on the contract and is carried out by automated means, the data subject has the right to receive the Data in a structured, commonly used and machine-readable format, as well as, where technically feasible, to have them transmitted to another controller without hindrance.

The data subject has the right to complain to the supervisory authorities in the EU Member State in which he or she normally resides or works or to the authority in the State in which the alleged violation has taken place.

The data subject has the right at any time to revoke the consent given for the purposes of marketing and to object to the processing of Data for such purposes. Data subjects who prefer to be contacted for the aforementioned purposes only by traditional methods shall still retain the right to state their objection to receiving communications through electronic means.

MODIFICATIONS TO THE PRIVACY NOTICE

The Data controller reserves the right to modify this privacy notice at any time, by giving adequate notice on the company website. In order to see any changes made, the user is invited to refer back to the privacy notice regularly which in any case states the date of the latest revision.

Revision date: November 2019