PRIVACY POLICY
PURSUANT TO ART. 13 EU REG. 2016/679 (GDPR)
Mod. Supplier Information REV. 00 of 05/10/2023

In compliance with the obligations provided for by the European Data Protection Regulation (hereinafter referred to as ‘GDPR’) and by the Italian legislation of the sector, the company GEOVITA S.R.L., in its capacity as Data Controller, provides the information relating to the processing of Data, as defined below.

1. IDENTITY AND CONTACT DATA OF THE OWNER
The Data Controller (hereinafter also ‘Controller’) is the company GEOVITA S.R.L., with registered office in Corso Barolo, 47 – 12051 Alba (CN), Tax Code and VAT no. 03060290040, R.E.A. CN-259031, tel. +39 0141 721022, e-mail: privacy@geovitagroup.it, PEC: geovita@pec.it, hereinafter also ‘Data Controller’ or just ‘Controller’.

2. PURPOSE OF DATA PROCESSING
The Data Controller collects and processes data relating to the supplier and the personal identification and contact data of the natural persons who act in the name and on behalf of the supplier and/or in its interest (hereinafter, respectively, the ‘Data’ and the ‘Interested Parties’) for the following purposes
(a) management of the pre-contractual relationship and management and execution of the contract and all related activities (‘Contractual Purposes’);
b) fulfilment of obligations deriving from laws, regulations and/or provisions issued by authorities legitimated to do so or by supervisory and control bodies (‘Legal Purposes’)
c) protection of the legitimate interests of the Data Controller, including in court (‘Protection Purposes’).

3. LEGAL BASIS OF THE PROCESSING
The legal bases that make the processing of the Data lawful consist of:
– for Contractual Purposes: by the need to ensure the proper management and execution of the pre-contractual and contractual relationship (Art. 6, par. 1 letter B, GDPR);
– for the Legal Purposes: by the need to ensure the fulfilment of obligations under national and supranational legislation (Art. 6, par. 1 letter C, GDPR);
– for the Protection Purposes: by the need to exercise and protect the legitimate interests of the Data Controller, as set out above (Art. 6(1)(F), GDPR).

4. METHODS OF DATA PROCESSING
The Data will be processed using both manual and IT tools, such as management software, with methods and tools suitable to guarantee maximum security. Processing will be based on principles of correctness, lawfulness, transparency, necessity and in such a way as to
protect the confidentiality of the Data. The Data shall not be subject to any automated decision-making process.

5. RETENTION PERIOD
The Data Controller will retain the Data for the period necessary to fulfil the purposes for which it was collected. In any case, as a general rule, the following retention periods apply:
a) the Data collected for the Contractual Purposes shall be retained for the entire duration of the Contract and for 10 years after the expiry of the Contract in order to fulfil tax and accounting obligations, as well as for legal protection in case of disputes arising from the Contract itself;
b) Data collected for the Legal Purposes shall be kept for a period equal to the duration prescribed by law for each type of Data;
c) Data collected for the Purposes of Protection are kept until the pursuit of the same, in any case not beyond the lapse of the statute of limitations provided by the law for the exercise of rights.

6. RECIPIENTS OF PERSONAL DATA
Processing is carried out by the Owner’s staff specifically authorised for this purpose by virtue of their respective duties, as well as by the Data Processors specifically identified in writing, within the scope of their respective functions and in compliance with the instructions issued by the Owner, ensuring the use of appropriate measures for the security of the data processed and guaranteeing their confidentiality. The list of Data Processors is available upon request.
The Data may also be communicated to the following categories of recipients
a) subjects, entities or authorities to which, in their capacity as independent data controllers, it is mandatory to communicate the Data by virtue of legal provisions and/or orders of the authorities;
b) companies controlled, controlling or, in any case, connected in any legal form;
c) any trade associations to which the company has adhered;
d) credit institutions, finance companies, credit insurance companies and other credit intermediaries that provide services functional to the purposes described above
e) software support companies, cloud and IT service providers;
f) supervisory bodies or certifying bodies, where necessary;
g) companies or professionals for the judicial or extrajudicial protection of the Controller’s rights.

7. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
The data collected will not be transferred to third countries or international organisations.

8. NATURE OF THE PROVISION OF DATA
The provision of the Data is necessary in order to fulfil legal and contractual obligations and, therefore, any refusal to provide it in whole or in part may make it impossible for the Controller to execute the contract.

9. RIGHTS OF THE DATA SUBJECT
The Data Subject has the right to ask the Controller
● to access the Data and rectify it if inaccurate, to delete it or restrict its processing if the conditions are met, or to object to its processing;
● data portability in the cases provided for by the GDPR.
The above rights may be asserted by the Data Subject by forwarding a specific request to the Data Controller at the addresses indicated above.
Finally, should the Data Subject consider that the processing concerning him/her violates the GDPR, he/she has the right to lodge a complaint with the Garante per la protezione dei dati personali ex art. 77 GDPR, or to take legal action.
Please note that the Garante per la protezione dei dati personali is based in Rome, Piazza Monte Citorio no. 121;
Fax: (+39) 06.69677.3785 Telephone switchboard: (+39) 06.696771; e-mail: garante@gpdp.it; certified e-mail: protocollo@pec.gpdp.it.