Notice to customers, suppliers, agents and external consultants pursuant to ex art 13 and 14 EU Reg. 2016/679 concerning the protection and the treatment of personal data (GDPR)

Dear Customer / Supplier / Agent
We wish to inform you that the European Regulation n. 679 of April 27, 2016 provides the protection of individuals with regard to the treatment of their personal data.
In carrying out its activities / functions, the company needs to process the personal data of its suppliers, agents and consultants (also referred to as data subject) and therefore plays the role of Data Controller.
The personal data you provide will be processed according to the principles of fairness, lawfulness, transparency, protection of confidentiality, relevance and non-excess with respect to the responsibilities pursued in full compliance with the current legislation on the protection of personal data.
Therefore, according to the articles 13 and 14 of the REG. EU 2016/679, we provide you with the following information:

1. Data controller

Luigi Carnevali of Carnevali and Meddi and C. S.a.S.
Via Veneto n. 6, hood 20090, Buccinasco (MI)
Tel: +39 02 48.86.733 — mail — ​​
To exercise of your rights, as well as to receive any information relating to your rights, and / or about this notice, you can contact the Data Controller at the aforementioned addresses.


2. Categories of data processed and source
The Data Controller will process the personal data, directly provided by you or acquired by third parties (for example your employer) in execution of the existing contracts, of a common and contact nature (name, surname, telephone number, e-mail and other contact details, tax code) and your financial data (IBAN) for the purposes indicated in point 3.
The processed data are normally acquired from the data subject, but they may be communicated to the Company by other controlled subjects (e.g. agents). Whatever the origin of the collection of personal data being processed, read carefully the following information.


3. Purpose of the treatment and legal basis
Your personal data will be processed by the Data Controller for the following purposes:
a) linked to the establishment and execution of the contractual relationship, including pre-contractual activities, order management, the assignment of the related tasks and mandates, the management of contractual communications and updates on products, on price list and prices; the legal basis for this purpose is a contract to which you are a part of, pursuant to article 6, first paragraph, letter b), of the GDPR, or, where you are an referring employee of the supplier-legal person, the legitimate interest of the Data Controller, according to the article 6, first paragraph, letter f), of the GDPR, deriving from the need to interact, through you, with the supplier-legal person;
b) administrative-accounting purposes or fulfilment of the legal provisions, regulations and provisions issued by authorities; the legal basis for this purpose is the admission of a legal obligation to which the Data Controller is subject according to the article 6, first paragraph, letter c), of the GDPR;
In these cases, your consent is not required and the providing your data is mandatory. In the event that you refuse to provide personal data, you cannot enter into and / or execute the contract.
c) purposes related to the possible management of disputes; in the latter case, the legal basis for this purpose is the pursuit of a legitimate interest of the Data Controller for the defence in court, according to the article 6, first paragraph, letter f), of the GDPR.
d) purposes related to any evaluation of suppliers. The legal basis for this purpose is the pursuit of a legitimate interest of the Data Controller, according to the article 6, first paragraph, letter f), of the GDPR.
In these cases, your consent is not required, you can object to the processing at any time by making a request to the Data Controller.
e) the optional, explicit and voluntary sending of personal data — including by e-mail or in the case of form activation on the site — involves the subsequent and necessary acquisition of the sender’s address and of the data provided by the same in order to give feedback to requests. In this case, no data is communicated or disclosed except for performing the service or required performance.


4. Retention period and treatment methods.
The personal data being processed will be collected in documents which are established, consistently with the processing purposes as summarized below:

  • for the purposes referred to in par. 3 lett. a), will correspond to the entire duration of the contractual relationship and, after its termination, will continue for a period of 10 years from the date of issue of the relative documents;
  • for the purposes referred to in par. 3 lett. b), will correspond to the entire duration of the contractual relationship and, after the termination of the same, will continue for a period of 10 years;
  • for the purposes referred to in par. 3 lett. c), will be equal to the duration of the dispute and will continue for the next 10 years.
  • for the purposes referred to in par. 3 lett. d), will be equal to the duration of the assessment / certification and will continue for the next 10 years.

The processing will take place, in compliance with the GDPR regulations, using paper, IT and telematic tools, with methods suitable for guaranteeing an adequate level of security and confidentiality, in accordance with the regulations of article 32 of the GDPR.


5. Recipients of the processed data.
The personal data processed for the purposes described in paragraph 3) will be known by the employees, assimilated staff and collaborators of the Data Controller, as persons authorized to process personal data or by the designated Data Processors (Labor consultant, software supplier company, Provider, Accountant)
Furthermore, for the same purposes, your personal data may be processed by third parties belonging, by way of an example, to the following categories:

  • banking institutions, public administrations (Revenue Agency, Public Authorities), social security institutions;
  • external subjects and companies that perform various types of services on behalf of the Data Controller, such as: IT system management services, accounting services, freight forwarding or correspondence services, professionals for specific issues in opinions / consultancy, etc.

The subjects belonging to the above categories operate, in some cases, as data processors specially appointed by the Data Controller in compliance with the Article 28 GDPR; in other cases in total autonomy as separate data controllers, being understood that, in the latter case, the communication of your personal data to these independent data controllers would take place only for pursuing the purposes referred to in the par. 3.
The complete and updated list of subjects to whom your personal data may be communicated can be requested by contacting the Data Controller at the address indicated in par. 1 of this notice.
Your personal data will not be disclosed.
Data subjects will not be subjected to decisions based solely on automated processing, including profiling.


6. Transfer of personal data outside the European Union
For technical — organizational needs, your data may be transferred to countries outside the European Union: this transfer is legitimate as it is guaranteed by the existence of adequacy decisions issued by the European Commission and / or standard protection clauses based on of the models adopted by the European Commission pursuant to art. 46 of the GDPR.
The rights of access to the transferred data and the information about the places where they were transferred are available upon request to the Data Controller.


7. Data Subject’s rights.
In relation to the treatments described in this notice, as an data subject, you can, under the conditions provided by the GDPR, exercise the rights protected in articles 15 — 21 of the GDPR, in particular:
• right of access — article 15 GDPR: the right to obtain confirmation whether the personal data is being processed and obtain access to your personal data — including a copy of the same -. More precisely, where provided, you may:
– obtain an indication of the origin of the personal data, of the purposes and methods of the processing, of the categories of the personal data concerned, of the criteria used to determine the retention period, who is the Data Controller and, if appointed, the DPO, of the subjects or categories of subjects to whom the personal data may be communicated or who can learn about them as appointed representative in the territory of the State, managers or agents;
– be informed of the existence of an automated decision-making process, including profiling, which produces legal effects concerning you or which significantly affects your person in a similar way;
– be informed of any transfers of personal data to a third country or to an international organization according to articles 44 and 45 of the EU Reg. and the existence of adequate requirements and guarantees according to art. 46 of the EU Reg.;
– right to data portability: gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
right of rectification — article 16 GDPR: right to obtain, without undue delay, the correction of inaccurate personal data concerning you and / or the integration of incomplete personal data;
right to erasure (right to be forgotten) — article 17 GDPR: right to obtain, without undue delay, the erasure of personal data concerning you, when: — the data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; — You have revoked your consent and there is no other legal basis for the processing; — You have successfully opposed the processing of personal data; — the data have been unlawfully processed, — the data must be deleted in order to fulfil a legal obligation; — personal data have been collected in relation to the offer of information society services referred to in Article 8, paragraph 1, GDPR.
right to restriction of processing — article 18 GDPR: right to obtain the restriction of processing, when where one of the following applies: — the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; — the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; -the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
communicate — Article 19 GDPR — to each of the recipients to whom the personal data have been transmitted, any corrections, cancellations or limitations by the Data Controller.
right to data portability — article 20 GDPR: right to receive, in a structured format, commonly used and readable by an automatic device, the personal data you provided to the Data Controller and the right to transmit them to another holder without impediments, if the treatment is based on consent and is carried out by automated means. Furthermore, the right to obtain that your personal data is transmitted directly by the Data Controller to another data controller if this is technically feasible;
right of opposition — article 21 GDPR: right to object to the processing of personal data concerning you according to the article 6 par. 1 letters e) or f), including profiling on the basis of these provisions, unless there are legitimate reasons for the Data Controller to continue processing;
right to lodge a complaint with the Supervisory Authority— article 77 GDPR: if you believe that the processing of your data violates the General Data Protection Regulation, you can lodge a complaint with a Supervisory Authority in the Member State in which you habitually reside or works, or in the place where the violation occurred.
The aforementioned rights may be exercised against the Data Controller by contacting the references indicated in the previous par. 1. Requests to exercise the right must be made in writing and accompanied by an identification document.
The Data Controller will take charge of your request and provide you, without undue delay, at the latest, within one month of receiving it, the information relating to your request.