GDPR Privacy Policy
Barabino & Partners S.p.A., with registered office in Foro Buonaparte, 22 in Milan, wishes to inform you, as a data subject (the ‘Data Subject’) that, pursuant to and for the purposes of (i) Legislative Decree no. 196 of 30 June 2003, the ‘Privacy Code’, art.13, (ii) EU Regulation 2016/679 on the ‘protection of individuals with regard to the processing of personal data and on the free movement of such data’, the ‘GDPR’, art.13 (iii) of the subsequent national legislation adapting the domestic legislative framework, rules also jointly referred to as the ‘Privacy Legislation’, a series of obligations are laid down for those who process (i.e. collect, record, process, store, communicate, disseminate, etc.) personal data referring to other subjects (the ‘Processing’).
In this regard, the Company is required to provide you with some information regarding the methods and purposes of the Processing of your personal data, which it may come into possession of, during pre-contractual negotiations as well as during the formation and execution of contractual relationships with you, in existence and/or that may be established, having as their object the purchase and/or sale of goods, products and/or the provision of services (hereinafter ‘Contract’ or ‘Purchase Order’).
Data Controller and Data Processors
The Data Controller is the entity that determines the purposes and means of the Processing of personal data (the ‘Controller’), and is identified in the Company, in the person of the Chairman of the Board of Directors.
The Data Controller may be contacted by e-mail privacy@barabino.it.
Personal data may be processed on behalf of the Data Controller by another party designated by the Data Controller, the ‘Data Processor’.
If you wish to have more information on the updated list of Data Processors, you may send a written request to the Data Controller’s references indicated above.
Categories of data subject to processing
The Controller processes personal identification data (e.g. name, surname, tax code, VAT number, email, telephone number, etc.) communicated by you during pre-contractual negotiations, during the signing of the Contract and/or throughout the duration of the Contract.
Data collection may also be carried out following consultation of public registers, lists, deeds or documents that may be known by anyone within the limits and under the conditions established by the rules on their disclosure.
Purposes of the Processing
Your personal data will be processed by the Company without your express consent (art. 24 lett. a, b, c Privacy Code and art. 6, n.1, lett. b, e of the GDPR) for the following purposes
a) to respond to your requests for information;
b) to fulfil requirements prior to the conclusion of the Contract for the sale/purchase of goods and/or services of the Controller
c) to carry out the management of administration, accounting, orders, shipments, invoicing, services;
d) to fulfil all contractual and fiscal obligations arising from the relationship(s) with you
e) to fulfil the obligations provided for by law, by regulation, by European legislation or by an order of the Authority
f) to exercise the Controller’s rights, such as the right of defence in court.
We would also like to inform you that if you are already our customer, we may send you commercial communications relating to services and products of the Controller similar to those you have already used, unless you disagree (art. 130 paragraph 4 of the Privacy Code).
If the Data Controller intends to process your data for purposes other than those described above, it is obliged to inform you of such further purposes before such processing is carried out.
Legal Basis for Processing
The Processing of your data takes place to the extent that:
- explicit consent has been given to the Processing of such personal data for one or more specific purposes (Art. 6 par. 1 lett. a) and Art. 9 par. 2 lett. a) EU Reg. 679/2016);
- is necessary for the performance of a contract to which you are party or the performance of contractual measures taken at your request (Art. 6(1)(b) EU Reg. 679/2016);
- is necessary for the pursuit of the legitimate interests of the Company or of third parties, provided that your interests or your fundamental rights or freedoms which require the protection of personal data do not prevail (Art. 6 par. 1 lett. f) EU Reg. 679/2016).
Nature of data provision
The provision of data for the purposes indicated above is compulsory as it is required for the fulfilment of legal and contractual obligations. Any refusal to provide them or any subsequent lack of authorisation to process them may result in the impossibility for the Data Controller to carry out the contractual relationships in question.
Data processing methods
Data processing will be carried out automatically and/or manually, using methods and tools in compliance with the security measures set out in Article 32 of the GDPR and Annex B of the Privacy Code (Articles 33-36 of the Code), by specially appointed persons, in compliance with the provisions of Article 29 of the GDPR, for the sole purpose of pursuing the purposes for which the data were collected and, in any case, in such a way as to guarantee their security and confidentiality.
We also inform you that the Company processes your personal data in full compliance with the principles of correctness, lawfulness and transparency.
Scope of data communication
Your data may be made accessible to:
- employees and collaborators of the Data Controller in their capacity as Data Processors (the ‘Processors’) and/or internal Data Processors and/or system administrators;
- to credit institutions, transport companies, professionals/consultants/external collaborators (e.g. accountants’ offices, lawyers, payroll consultants, agents, IT services, shipping, auditing companies) – for legal obligations or for exclusively functional reasons within the scope of the execution of the Contract – who carry out activities in outsourcing on behalf of the Data Controller, in their capacity as autonomous external Data Controllers or Data Processors, appointed by the Data Controller.
Without your express consent – art. 24 lett. a), b), d) of the Privacy Code and art. 6 lett. b) and c) GPDR_ the Data Controller may disclose your data for the purposes of lett. a), b), c), d), e), f) of the paragraph ‘Purposes of the Processing’, to Supervisory Bodies, Judicial Authorities as well as to all other subjects (e.g. Labour Inspectorate, ASL, Social Security Institutions, ENASARCO, Chamber of Commerce) to whom the communication is compulsory by law for the fulfilment of the aforementioned purposes. These subjects will process the data in their capacity as autonomous Data Controllers.
Transfer of data to a third country or international organisation
Personal data are processed within the European Union and stored on servers located there. It is in any case understood that the Data Controller, should it become necessary, shall have the right to transmit such data to a third country or international organisation and/or move the servers also outside the EU. In this case, the Data Controller guarantees as of now that the transfer of data outside the EU will take place in compliance with the applicable legal provisions, as per Art. 44 of the Privacy Code and Art. 46 et seq. of the GDPR.
Personal data retention policy
The Company keeps your personal data acquired in its systems for a period of time that does not exceed the pursuit of the purposes listed above for the duration of the contractual relationship to which this policy refers.
In accordance with the principle of limiting the Processing and minimising the collection of data, the Company reserves the right in any case to keep your data no longer than 10 years, beyond the expiry date of the last Contract/Purchase Order signed between the parties.
Rights of the Data Subject
Lastly, the Company informs you that, pursuant to Articles 7 of the Privacy Code and Articles 15-22 of the GDPR, you, in relation to your personal data, have the status of Data Subject and may exercise specific rights at any time by contacting the Data Controller, such as
a) Right of access: the right to obtain from the Controller confirmation as to whether or not personal data is being processed and, if so, to obtain access to the personal data, as well as further information on the origin, purposes, category of data processed, recipients of communication and/or transfer of the data, the period of storage of the personal data or the criteria used to determine this period.
b) Right to rectification: the right to obtain from the Controller the rectification of inaccurate personal data without undue delay, as well as the integration of incomplete personal data, also by providing a supplementary declaration.
c) Right to erasure: the right to obtain from the Controller the erasure of personal data without undue delay in the event that:
- the personal data are no longer necessary in relation to the purposes of the Processing;
- the consent on which the Processing is based is withdrawn and there is no other legal basis for the Processing
- personal data have been processed unlawfully
- the personal data must be erased in order to comply with a legal obligation under EU or Member State law
- the Data Subject objects to the Processing and there is no overriding legitimate ground to proceed with the Processing, or where the Data Subject objects to the Processing in the cases provided for in Article 21(2) of the GDPR (personal data processed for direct marketing purposes)
d) Right to object to the Processing: the right to object at any time to the Processing, including profiling, if the legitimate interest of the Data Controller is overridden by the interests, rights and fundamental freedoms of the Data Subject, if it is carried out for direct marketing purposes, if personal data are processed for scientific or historical research purposes or for statistical purposes.
e) Right to restriction of Processing: the right to obtain from the Controller the restriction of the Processing, in cases where the accuracy of personal data is contested (for the period necessary for the Controller to verify the accuracy of such personal data), if the Processing is unlawful and/or the Data Subject has objected to the Processing and requested its restriction
f) Right to data portability: right to receive personal data in a structured, commonly used and machine-readable format and to transmit such data to another Data Controller, only for cases where the Processing is based on consent and only for data whose Processing is carried out by automated means.
g) Right to withdraw consent: where the Processing is based on your explicit consent, you have the right to withdraw your previously given consent at any time without prejudice to the lawfulness of the processing carried out on the basis of your consent lawfully given before the withdrawal.
h) Right to lodge a complaint with a supervisory authority: in the event of a breach of the Privacy Law, as a Data Subject, you have the right to lodge a complaint with the supervisory authority of the Member State in which you normally reside or work, or of the State in which the alleged breach occurred, without prejudice to any other administrative or judicial remedy.
If you wish to obtain further information on the Processing of your personal data and exercise the rights indicated above, you may send a written request using the contact details provided in the ‘Data Controller and Data Processor’ section of this notice.
In the event of a request from you for information regarding your data, the Data Controller will reply as soon as possible – unless this proves impossible or involves a disproportionate effort – and in any case no later than 30 days from the request. Any impossibility or delay on the part of the Controller in fulfilling requests will be adequately justified.
Automated decision-making processes
The Data Controller does not carry out Processing that consists of automated decision-making processes on the data processed.