General Disclosure

GENERAL CUSTOMER AND SUPPLIER INFORMATION

Dear Supplier/Customer,

With this document (“Information Notice”) the Data Controller, as defined below, wishes to communicate the purposes and methods of processing personal data and the rights that THE Regulation (EU) 2016/679, relating to the protection of natural persons with regard to the processing of personal data and the free movement of such data (“GDPR”), grants to Natural Persons whose personal data IS subjectED to the processing carried out.

This information notice is addressed to natural persons, such as owners, administrators, managers, employees, general contacts of customers and suppliers, whose personal data the Data Controller must process in order to stipulate, follow up on service or supply contracts, qualified as both customers and suppliers.

Natural Persons also include Legal Persons where Natural Person and a Legal Person coincide, for example, self-employed professionals or sole proprietorships.

 

1. Who is the Data Controller

The Data Controller is Gallorini Alloys S.r.l., with its registered office at Via di Pescaiola n.5/7, Civitella in Val di Chiana – Badia al Pino (AR) 52041, represented by the legal representative CARLO GALLORINI – President of the Board of Directors – VAT and Tax Code 01925470518.

 

2. What personal data we process

2.1. Nature of the processed data

For the purposes indicated in this Information Notice, identifying and contact data (name, surname, address, phone number, email, and other contacts as identification number) of natural persons (such as legal representatives, administrators, managers, employees, collaborators, contacts) with whom we will interact for the management of the contractual relationship will be processed, as well as all other personal data necessary for the correct performance of the contractual relationship and to comply with the legal obligations required by the accounting and tax regulations.

 

2.2. Source of personal data

Your personal data processed by the Data Controller are those provided directly by you, through direct contact or collected through business cards, company presentations and following a phone or email contact.

 

3. Purpose of processing and legal basis

The processing to which your personal data will be subjected is aimed exclusively at:

  • A. Carrying out activities related to the stipulation and execution of the contract to which the data subject is a party;
  • B. Managing legal obligations related to accounting and tax duties (such as receiving and/or issuing tax documents like invoices and/or delivery notes).

For all and only the processing of your personal data envisaged by this Information Notice, the legal basis of the processing is constituted:

  • If the supplier or customer is a natural person:
    • by the necessity of executing the contract, in compliance with Article 6, paragraph 1, letter b), GDPR; and
    • by the necessity of fulfilling legal obligations, in compliance with Article 6, paragraph 1, letter c), GDPR;
  •  If the supplier or customer is a legal person:
    • by the legitimate interest of the Data Controller to process the personal data of employees, managers, contacts, or administrators of the supplier or customer legal person for the purpose of fulfilling the supply contract with them, in compliance with Article 6, paragraph 1, letter f), GDPR. Consequently, your personal data will be processed exclusively to the extent that it is strictly necessary for the management of the relationship between the Data Controller and the company for which you operate, as a supplier or customer of the Data Controller; and
    • by the necessity of fulfilling legal obligations, in compliance with Article 6, paragraph 1, letter c), GDPR.

 

4. Nature of the provision and consequences of a refusal to provide personal data

The provision of personal data is a necessary requirement for the establishment of the contract. The failure to provide data will, therefore, make it impossible for the Data Controller to conclude and execute the supply contract or to commission the work.

 

5. How your personal data will be processed

The processing of your personal data will take place in compliance with the provisions of the GDPR, through paper, IT, and telematic tools, with logic strictly related to the indicated purposes and, in any case, with methods suitable to guarantee their security and confidentiality in accordance with the provisions of Article 32 of the GDPR.

 

6. Retention of your personal data.

The Data Controller uses your personal data only for the time necessary for the management and execution of the current contract, as well as for the fulfillment of the legal obligations deriving from it. The criteria applied by Gallorini Alloys S.r.l. for the retention of Personal Data are:

  • Compliance with the limitation period provided by the Italian Civil Code ex. art. 2220;
  • The duration of the relationship itself.

 

7. To whom your personal data may be communicated and who can become aware of it

The data are processed within the structure of the Data Controller by the subjects (employees) authorized and appointed to process the data under its responsibility for the purposes mentioned above. The data may be communicated to external subjects (outsourcers) with whom specific agreements, conventions, or proper mandates exist with the Data Controller unless they assume the role of autonomous data controller according to the current legislation. The categories of recipients are as follows:

  • Administrative, fiscal, accounting consultancy firms for continuous services related to general bookkeeping, related consultancy, tax declarations and balance sheet, both periodic and annual, and related payments;
  • Suppliers of software for managing the data of suppliers and customers;
  • Banks and credit institutions for the payment of orders of products/services carried out;
  • IT companies providing services for the compliant storage of active and/or passive electronic invoices;
  • The Revenue Agency;
  • Subjects with whom interaction is necessary for the execution or stipulation of the Contract (e.g., hosting providers or providers of platforms for sending emails).

The subjects belonging to the above categories operate, in some cases, in total autonomy as distinct Data Controllers, in other cases, as Data Processors appointed by the Data Controller in compliance with Article 28 of the GDPR. The complete and updated list of subjects to whom your personal data may be communicated can be requested at the Data Controller’s registered office.

 

8. Transfer to Third Countries

Your personal data are not in any way disclosed or transferred to third parties outside the European Union and are not subject to dissemination.

 

9. What rights you have as a data subject

In relation to the processing described in this Information Notice, as a data subject you may, under the conditions provided by the GDPR, exercise the rights enshrined in Articles 15 to 21 of the GDPR and, in particular, the following rights:

  • Right of access: the right to obtain confirmation of whether or not personal data concerning you are being processed and, if so, to obtain access to your personal data – including a copy thereof – and to be informed, among other things, of the following information:
    • a. purposes of the processing;
    • b. categories of personal data processed;
    • c. recipients to whom these have been or will be communicated;
    • d. data retention period or criteria used;
    • e. rights of the data subject (rectification, erasure of personal data, restriction of processing, and the right to object to processing);
    • f. the right to lodge a complaint;
    • g. the right to receive information on the origin of your personal data if they are not collected from the data subject;
    • h. the existence of automated decision-making, including profiling;
  • Right to rectification: the right to obtain the rectification of inaccurate personal data concerning you and/or the integration of incomplete personal data;
  • Right to erasure (right to be forgotten): the right to obtain the erasure of personal data concerning you, when:
    • a. the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • b. you have withdrawn your consent and there is no other legal basis for the processing;
    • c. you have successfully objected to the processing of personal data;
    • d. the data have been unlawfully processed;
    • e. the data must be erased to comply with a legal obligation;
    • f. the personal data have been collected in relation to the offer of information society services as referred to in Article 8, paragraph 1, GDPR.
  • Right to erasure does not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise, or defense of legal claims;
  • Right to restriction of processing: the right to obtain the restriction of processing, when:
    • a. the accuracy of the personal data is contested by the data subject;
    • b. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
    • c. although the data controller no longer needs them for the purposes of the processing, the personal data are required by the data subject for the establishment, exercise, or defense of legal claims;
    • d. the data subject has objected to the processing, pending verification of whether the legitimate grounds of the data controller override those of the data subject;
  • Right to object: You have the right to object, at any time, to the processing of personal data concerning you based on the legitimate interest condition, including profiling, unless there are compelling legitimate grounds for the Data Controller to continue the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

To lodge a complaint with the Data Protection Authority, Piazza di Montecitorio n. 121, 00186, Rome (RM).

 

10. Methods for exercising rights.

The above rights may be exercised by contacting the Data Controller through:

  • A registered letter with acknowledgment of receipt to
    • Nature of the provision and consequences of a refusal to provide personal data
      The provision of personal data is a necessary requirement for the establishment of the contract. The failure to provide data will, therefore, make it impossible for the Data Controller to conclude and execute the supply contract or to commission the work.
    • How your personal data will be processed
      The processing of your personal data will take place in compliance with the provisions of the GDPR, through paper, IT, and telematic tools, with logic strictly related to the indicated purposes and, in any case, with methods suitable to guarantee their security and confidentiality in accordance with the provisions of Article 32 of the GDPR.
    • Retention of your personal data. The Data Controller uses your personal data only for the time necessary for the management and execution of the current contract, as well as for the fulfillment of the legal obligations deriving from it. The criteria applied by Gallorini Alloys S.r.l. for the retention of Personal Data are:
      • Compliance with the limitation period provided by the Italian Civil Code ex. art. 2220;
      • The duration of the relationship itself.
    • To whom your personal data may be communicated and who can become aware of it
      The data are processed within the structure of the Data Controller by the subjects (employees) authorized and appointed to process the data under its responsibility for the purposes mentioned above. The data may be communicated to external subjects (outsourcers) with whom specific agreements, conventions, or proper mandates exist with the Data Controller unless they assume the role of autonomous data controller according to the current legislation. The categories of recipients are as follows:

      • Administrative, fiscal, accounting consultancy firms for continuous services related to general bookkeeping, related consultancy, tax declarations and balance sheet, both periodic and annual, and related payments;
      • Suppliers of software for managing the data of suppliers and customers;
      • Banks and credit institutions for the payment of orders of products/services carried out;
      • IT companies providing services for the compliant storage of active and/or passive electronic invoices;
      • The Revenue Agency;
      • Subjects with whom interaction is necessary for the execution or stipulation of the Contract (e.g., hosting providers or providers of platforms for sending emails).

       

      The subjects belonging to the above categories operate, in some cases, in total autonomy as distinct Data Controllers, in other cases, as Data Processors appointed by the Data Controller in compliance with Article 28 of the GDPR. The complete and updated list of subjects to whom your personal data may be communicated can be requested at the Data Controller’s registered office.

    • Transfer to Third Countries
      Your personal data are not in any way disclosed or transferred to third parties outside the European Union and are not subject to dissemination.
    • What rights you have as a data subject
      In relation to the processing described in this Information Notice, as a data subject you may, under the conditions provided by the GDPR, exercise the rights enshrined in Articles 15 to 21 of the GDPR and, in particular, the following rights:

      • Right of access: the right to obtain confirmation of whether or not personal data concerning you are being processed and, if so, to obtain access to your personal data – including a copy thereof – and to be informed, among other things, of the following information:
        a. purposes of the processing;
        b. categories of personal data processed;
        c. recipients to whom these have been or will be communicated;
        d. data retention period or criteria used;
        e. rights of the data subject (rectification, erasure of personal data, restriction of processing, and the right to object to processing);
        f. the right to lodge a complaint;
        g. the right to receive information on the origin of your personal data if they are not collected from the data subject;
        h. the existence of automated decision-making, including profiling;
      • Right to rectification: the right to obtain the rectification of inaccurate personal data concerning you and/or the integration of incomplete personal data;
      • Right to erasure (right to be forgotten): the right to obtain the erasure of personal data concerning you, when:
        a. the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
        b. you have withdrawn your consent and there is no other legal basis for the processing;
        c. you have successfully objected to the processing of personal data;
        d. the data have been unlawfully processed;
        e. the data must be erased to comply with a legal obligation;
        f. the personal data have been collected in relation to the offer of information society services as referred to in Article 8, paragraph 1, GDPR.
      • Right to erasure does not apply to the extent that processing is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or for the establishment, exercise, or defense of legal claims;
      • Right to restriction of processing: the right to obtain the restriction of processing, when:
        a. the accuracy of the personal data is contested by the data subject;
        b. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
        c. although the data controller no longer needs them for the purposes of the processing, the personal data are required by the data subject for the establishment, exercise, or defense of legal claims;
        d. the data subject has objected to the processing, pending verification of whether the legitimate grounds of the data controller override those of the data subject;
      • Right to object: You have the right to object, at any time, to the processing of personal data concerning you based on the legitimate interest condition, including profiling, unless there are compelling legitimate grounds for the Data Controller to continue the processing that override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.To lodge a complaint with the Data Protection Authority, Piazza di Montecitorio n. 121, 00186, Rome (RM).
    • Methods for exercising rights.The above rights may be exercised by contacting the Data Controller through:
      • A registered letter with acknowledgment of receipt to Gallorini Alloys S.r.l. at Via di Pescaiola n.5/7 52041 Civitella in Val di Chiana – Badia al Pino (AR).
      • An email to the address info@gallorini.it.

      A response will be provided without undue delay and, in any case, no later than one month from receipt of the request.

    at Via di Pescaiola n.5/7 52041 Civitella in Val di Chiana – Badia al Pino (AR).

  • An email to the address info@gallorini.it.

A response will be provided without undue delay and, in any case, no later than one month from receipt of the request.

Contact us for consulting, prices, assistance and customization

Subscribe to our newsletter