INFORMATION NOTICE TO CLIENTS AND SUPPLIERS

Podini S.p.A. (hereinafter, the “Data Controller”) hereby provides the following information regarding the processing of your personal data, pursuant to and for the purposes of Article 13 of EU Regulation 2016/679.

1. Purpose of the processing of personal data and legal basis for processing

The Data Controller processes the identifying personal data (e.g., first name, last name, company name, address, telephone, e-mail, bank and payment details), hereinafter referred to as “personal data” or “data,” which you provide in connection with the conclusion of contracts relating to services rendered or to be rendered, for the following purposes:

1. for the fulfillment of the contractual services agreed upon or for the fulfillment of pre-contractual activities related to or subsequent to such services and/or to comply with specific requests communicated. In these cases, the legal basis for processing is the performance of contractual or pre-contractual obligations by the Data Controller;
2. for the proper fulfillment of obligations imposed by laws, regulations, or EU legislation, as well as to comply with measures issued by public authorities or by supervisory and control bodies to which the Data Controller is subject (e.g., tax assessments, etc.). In these cases, the legal basis for processing consists in the fulfilment of a legal obligation under Article 6(1)(c) of the Regulation;
3. upon your explicit consent, for commercial or marketing purposes, such as, by way of example, to benefit from “News Alert” services via e-mail or SMS, to receive newsletters regarding the activities of the Data Controller or company brochures, for service quality surveys or statistical research. In these cases, the legal basis for processing is the explicit consent pursuant to Article 6(1)(a) of the Regulation.

2. Nature of data provision and consequences of failure to provide data

The provision of data for purposes (a) and (b) is necessary for the management of the contractual relationship and for compliance with legal obligations. Failure to provide personal data or to give consent to their processing will prevent the Data Controller from proceeding with the requested services and form pursuing the purposes referred to in Section 1, letters (a) and (b) of this information notice.

The provision of data for the purposes referred to in Section 1, letter (c) of this information notice is optional, and the data subject is therefore free to give or deny consent. Even after consent has been given, the data subject may revoke it at any time.

3. Methods of data processing

The processing of your personal data will be carried out in accordance with the principles of lawfulness, fairness and transparency, ensuring the protection of your privacy as well as that of your family members, in compliance with the principles set out in Article 5 of the EU REG. Data processing may be performed manually, using paper documentation, and also with the aid of electronic or otherwise automated means.

The data are collected and processed at the Data Controller’s registered office, in dedicated document archives/servers.

Your personal data are processed using appropriate technical and organizational security measures pursuant to Article 32 of the EU REG., in order to ensure a level of security adequate to the risk, minimizing the risks of destruction or loss, unauthorized access, or processing not in compliance with the purposes of collection.

Your personal data are neither subject to automated decision-making processes nor to profiling.

4. Data disclosure and transfer abroad

Your personal data are not disseminated.

For the fulfillment of the purposes referred to in Section 1 of this information notice, the Data Controller may need to disclose your personal data to trusted external parties, specifically:

1. companies belonging to the group;
2. banks for banking and payment services, companies that manage digital postal services, document archiving and storage providers, and other outsourcing service providers offering ancillary services;
3. the Data Controller’s legal and tax advisors;
4. insurance or reinsurance companies, or directly to third-party responsible entities in case of recourse action by the company.

These parties, depending on the circumstances, will process the data as independent data controllers or as “data processors” duly appointed under contractual agreements drafted in accordance with Article 28 of the EU REG.

Your personal data will generally not be transferred to a third country outside the EU or to international organizations. However, should such a transfer become necessary, it will be carried out in compliance with the provisions of the EU Regulation.

5. Retention period of personal data

Your personal data will be retained for the entire duration of the contractual relationship and also after its termination for the period necessary to fulfill all applicable legal obligations (e.g., tax obligations) and/or administrative obligations connected to or resulting from the contractual relationship itself (10 years). Marketing data will be retained for the duration required by law and in any case until you revoke your consent.

6. Identity and contact details of the Data Controller, Privacy Officer and of the Responsible Data Protection Officer (“Data Protection Officer”)

The Data Controller is: Podini S.p.A., via S. Lattauda 30, 20135 Milano (MI) e-mail privacy@podinispa.it, telephone (secretariat/URP): 0471 533533, fax 0471 210533, PEC podinispa-poh@pec.it. .

The Privacy Officer to whom you may address requests to exercise the rights provided under the EU REG., listed in the following section, can be contacted using the following details: Podini S.p.A., via S. Lattauda 30, 20135 Milano (MI) e-mail privacy@podinispa.it, telephone (secretariat/URP): 0471 533533, fax 0471 210533, PEC podinispa-poh@pec.it.

The Data Controller has appointed a Data Protection Officer (“DPO”) that can be contacted by writing to dpo@podinispa.it.

7. Rights of the data subject

At any time, pursuant to Articles 15 to 22 of the Regulation, you have the right to:

1. request confirmation as to whether or not your personal data exist;
2. obtain information regarding the purposes of the processing, the categories of personal data, the recipients or categories of recipients to whom the personal data have been or will be disclosed, and, where possible, the retention period;
3. obtain the rectification and deletion of data;
4. obtain the restriction of processing;
5. (where applicable) obtain data portability, i.e., to receive the data from a data controller in a structured, commonly used, and machine-readable format, and transmit them to another data controller without hindrance;
6. object to processing at any time, including for direct marketing purposes;
7. object to an automated decision-making process concerning natural persons, including profiling;
8. request access to your personal data from the data controller, as well as the rectification or deletion of such data, or the restriction of processing concerning them, or to object to their processing, in addition to the right to data portability;
9. withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;
10. lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali), located in Rome, Piazza Venezia No. 11, official website: www.garanteprivacy.it.

The exercise of these rights can be carried out by contacting the Data Controller, the Privacy Officer, or the Data Protection Officer, if present, at the contacts provided above.

The Data Controller reserves the right to modify, update, add, or remove parts of this privacy information following any subsequent changes in the legislation. The data subject is obliged to periodically check for any modifications on the company’s website.