Information for Suppliers

Information for suppliers in accordance with Article 13 of the European Data Protection Regulation No. 2016/679

The processing of data relating to legal persons does not fall within the scope of application of the personal data protection provisions of European Regulation no. 2016/679. For the sake of clarity and transparency with regard its Suppliers, San Marzano Vini S.p.A. has provided this information also for legal persons, describing the procedures and the purposes for all processing of personal data that the Company carries out or may carry out. Therefore, the information in particular concerns the data of natural persons working at the Company’s Suppliers.

1. Foreword

Pursuant to Article 13 of European Regulation no. 2016/679 (hereinafter, the “GDPR”), San Marzano Vini S.p.A. (VAT number 03017840731), with registered office in 74020 – San Marzano di S.G. (TA), Via Monsignor Bello n. 9, e-mail privacy@sanmarzanovini.com (hereinafter, the “Company”), as the Data Controller for the personal data already shared or that will be shared in the future, and by which the personal data is or will be collected, wishes to inform you that data concerning you may be subject to processing, in compliance with the above-mentioned regulation, by the Company in relation to the pre-contractual and/or contractual relationships entered into with you or those that may be in future.

2. Source of personal data

Personal data that is acquired or that will be acquired in connection with contractual or pre-contractual relationships are collected directly from the Data Subject. All personal data collected are processed in accordance with the regulations in force and with due confidentiality.

3. Nature of data collection

For the stipulation and execution of the contractual relationship, the collection of personal data is also compulsory in nature due to legal and fiscal requirements. Refusal to provide such personal data will make it impossible for a relationship to be established with the Company. The relevant processing does not require the consent of the data subject.

4. Purpose and Lawful Basis for Processing Data

The collection or processing of personal data has the sole purpose of adequately fulfilling the requirements related to the Company carrying out its business activity, and in particular to:

• carry out pre-contractual activities and obtain preliminary information in order to conclude the contract;
• manage the contractual relationship and all administrative, operational, managerial and accounting activities related to the contract (invoicing, supplier reliability checks, etc.);
• handling of disputes, breaches of contract, warnings, settlements, arbitration, litigation, etc.;
• fulfilment of obligations prescribed by law, regulations, EU regulations and public authority provisions.

The processing is carried out on the basis of compliance with the pre-contractual and/or contractual obligations connected to the relationship you established with the Company, in accordance with Article 6, section 1(b) and (c) of the GDPR.

5. Processing methods

The processing of personal data will be carried lawfully and correctly and in any case in accordance with the above-mentioned regulations, using means that are suitable to guarantee its security and confidentiality; it can also be performed using computerised tools that are able to store, manage and transmit the data themselves.
The processing will be carried out, principally, by the Company’s internal organisation, under the direction and control of the corporate functions in charge and for the purposes indicated above.

6. Processing duration

In accordance with Article 5, section 1(e) of the GDPR, personal data subject to processing will be stored for as long as strictly necessary with regard to the pre-contractual and contractual relationship, and therefore for the duration thereof.

After termination of the contractual relationship:

• data necessary for the fulfilment of legal and tax obligations will be kept for a further 10 years;
• data necessary for any defence in court will be kept for the entire duration of the trial, until the court’s decision has been handed down;
• data necessary for the provision of communications to the independent and judicial supervisory authorities will be kept for a period of 5 years, at the end of which any need for further storage will be assessed if requested by those authorities.

After the termination of the relationship, data other than that necessary for the purposes referred to in the points above will be deleted immediately.
For pre-contractual purposes, only the data will be kept for the duration of the negotiations and in case of failure to conclude the contract, for the next 12 months, except for any defence in court in the case of litigation and/or pre-litigation. In the latter case, in fact, the necessary data will be kept for the entire duration of the trial, until the court’s decision has been handed down.

7. Data recipients

Without prejudice to communications made in fulfilment of legal obligation, regulation or EU legislation and those within the group, communication, even just consultation or making available personal data concerning you may take place with the following parties:

1. companies belonging to the Group, connected to our Company, located in Italy;
2. agencies, supervisory bodies, public authorities or institutions;
3. natural or legal persons providing specific services, such as, but not limited to, data processing, legal, administrative, tax and/or accounting consultancy, etc.;
4. d. commercial intermediaries, banks and credit institutions, financial intermediary companies, natural or legal persons for the recovery of credit, audits and/or certification of financial statements and quality systems, independent collaborators of the Company, agents and signalers, insurers and brokers, etc.;

The entities referred to in point a) operate as external Data Processors; while the entities referred to in points from b) to d) operate as indipendent Data Controllers.

We assure you that, in any case, only the personal data that is necessary and relevant for the purposes of the processing provided is transferred to the aforementioned parties, if not aggregated personal data and in anonymous form.

The list of these parties will be updated on an ongoing basis and is accessible to you upon request to the Company. Due to the existence of links with these by telematic or computer means or correspondence, the personal data may be made available abroad, possibly also outside the countries belonging to the EU taking into account the existence of the relevant authorisation, i.e. on the basis of standard contractual clauses.
Personal data shall not in any case be disclosed.

8. Rights of the Data Subject

You retain your right to access the contacts indicated in the introduction for the personal data provided for in Article 15 of the GDPR and the rights provided for by Articles 16, 17, 18 and 21 of the GDPR regarding rectification, cancellation, restriction of processing and the right to object, within the limits of Article 2-undecies of the Personal Data Protection Code and with the procedures set out in Article 12 of the GDPR. For this purpose, email communications may be sent to the Data Controller’s e-mail address.
Should our Company not respond to you within the time allowed by the law, or if the response to the exercising of your rights is not adequate, you can submit a complaint to the Italian Data Protection Authority, whose details are as follows: Website www.gpdp.it or www.garanteprivacy.it, E-mail protocollo@gpdp.it, Switchboard: (+39) 06.69677.1.

9. Further information

Further information regarding the processing and communication of personal data may be requested from the Company.

If a Data Protection Officer is appointed (pursuant to Art. 37 of the Privacy Regulation), their contact details will be published on the Data Controller’s website.

An up-to-date list of designate Data Processors is available at the Company.