“Marketing” Information for suppliers about personal data processing ex art. 13 and 14 Regulation EU 2016/679

Data Controller
We inform you that, according to art. 13 and 14 of Regulation EU 201 6/679 (hereinafter “Regulation” or “GDPR”), Your Personal Data are processed by Engineering Ingegneria Informatica S.p.a. as Data Controller (“Controller”) also on behalf of all the Companies of Engineering Group. The Data Protection Officer (hereinafter, “DPO”) is achievable at this email address: dpo.privacy@eng.it.

Data object of the processing
The Controller will process your personal data, referred to the supplier or to the data subjects, as their collaborators, employees and/or contacts, collected as part of the contractual relationships with you, including, but not limited to, your name, last name, mobile phone-number, e-mail address and in general the Your contact details as a contact person in the commercial relations maintained.

Lawfulness, basis and optionality of processing
Your personal data will be processed for the following purposes:
a) execution of the contract and/or pre-contractual measures (purpose of “Execution of the Contract”);
b) fulfillment of any obligations foreseen by the law, by a regulation or by the Community legislation, such as, by way of example and not exhaustively: request of the names of your personnel (surname, first name, place and date of birth, date of employment) interventions to verify the possession of the technical and professional eligibility requirements, and related indication of the INPS and INAIL and CCNL positions applied, fulfillment of accounting, tax and regulatory obligations.Within this purpose are included the controls that the Controller carries out, for example, in the context of the adjustment to the D. Lgs. N. 231/2001 “Discipline of the administrative responsibility of legal entities, companies and associations also without legal personality, pursuant to Article 11 of the Law of 29 September 2000, n. 300 “, as well as for purposes related to the c.d. “whistleblowing” system provided for by Law n. 179/2017 containing “Provisions for the protection of perpetrators of reports of offenses or irregularities which they have come to know in the context of a public or private employment relationship”, or for the performance of their activities for the purpose of assessing compliance the obligation to abstention and to verify the non-existence, in the hands of employees and collaborators, of situations, even potential ones, of conflict of interests as defined and regulated in the DPR n. 62/2013 “Regulations containing the code of conduct for civil servants” – where applicable – and in the internal disciplinary code adopted by the Data Controller, called the “Engineering Group Code of Ethics” (purpose of “Compliance with Legislative Obligations and Protection Controls”);
c) management of suppliers, as well as control of their quality and performance (purpose of “Quality Control”);
d) in the event that it is necessary to ascertain, exercise or defend a right in court, as well as to carry out checks on data and network security and to prevent and combat possible IT crimes. (“Defensive and Preventing Computer Crime” purposes).

The legal bases of processing for purposes a) and b) are respectively articles 6 (1) (b) and 6 (1) (c) of the Rules.
The legal basis of processing for purposes c) and d) is art. 6 (1) (f) of the Regulations, that is to say the legitimate interest that the Controller has found to exist on the basis of the balancing of the interest.

The provision of your personal data for the purposes under a), b), c) and d) above is optional, but in default it will not be possible to establish business relations with the Supplier and / or to execute the contract.

Your personal data will also be processed, subject to your specific consent, for the following purposes:
e) carry out market research and statistical analysis, through automated tools (text messages, mms, emails, push notifications, faxes) and not (paper mail, telephone with operator); it is specified that the Data Controller collects a single consent for the marketing purposes described herein, in accordance with the General Provision of the Guarantor for the Protection of Personal Data “Guidelines on promotional activities and the fight against spam” of 4 July 2013; in any case, you wish to oppose the processing of your data for marketing purposes performed with the means indicated herein, as well as revoke the consent given, may at any time contact the Data Controller at the addresses indicated in this statement, without prejudice to the lawfulness of the treatment based on consent given prior to revocation (“Marketing” purposes).

The legal basis of processing for the purpose e) is art. 6 (1) (a) of the Rules.
The provision of your personal data for the purposes referred to in letter e) above is optional; there is no consequence in case.

Recipients and data transfer
Your personal data may be shared with:
– natural persons authorized by the Controller to process personal data pursuant to art. 29 GDPR for the performance of their job duties (eg employees and system administrators, etc.);
– service providers (such as consultants, credit institutions, etc.) who typically act as data processors pursuant to art. 28 of the GDPR;
– subjects, bodies or authorities that are obliged to communicate their personal data in accordance with law or orders of the authorities.

The data may be accessible to other companies of the Engineering group for the same purposes as above and / or for administrative and accounting purposes pursuant to art. 6 and to Recitals 47 and 48 of the GDPR.
The complete and updated list of data recipients may be requested to the Controller, at the addresses indicated above.

Extra EU data transfer
Regarding the possible transfer of Data to Third Countries, the Controller discloses that the processing will take place according to one of the methods permitted by the law in force, such as the consent of the data subject, the adoption of Standard Clauses approved by the European Commission, the selection of data subjects adhering to international programs for free circulation of data (eg EU-USA Privacy Shield) or operating in safe Countries by the European Commission. It’s possible to have more informations to the above contacts, upon request, from the Controller.

Personal data storage
Your Personal Data will be kept only for the time necessary for the purposes for which they are collected, respecting the minimization principle as art. 5, paragraph 1, letter c) of the GDPR. The Controller may keep some data even after the termination of the contractual relationship, for the time necessary to fulfill contractual and legal obligations. Further informations are available at the Controller addresses.

Data processing methods
In relation to the mentioned purposes, the personal data processing takes place using manual, computerized and telematic tools with logic strictly related to the purposes themselves and, in any case, in such a way as to guarantee the security and confidentiality of the data and even the compliance with specific obligations sanctioned by the law. By signing the Contract, the Supplier undertakes to provide all interested parties whose data will be provided with this information and where necessary to obtain the relative consent to the processing of data.

Your privacy rights
You have the right to ask the Controller, at any time, access to their personal data, correct or cancel them or oppose their processing, he is entitled to request the limitation of processing in cases provided for by art. 18 of the GDPR, to revoke the consent given pursuant to art. 7 of the GDPR at any time; to obtain, in a structured format, in common use and readable by automatic device, the data concerning it, in the cases provided for by art. 20 of the GDPR; and to propose a complaint to the competent control authority pursuant to article 77 of the GDPR (Personal Data Protection Authority), if it considers that the processing of your data is contrary to the law in force.

You can make a request to object to the processing of data under Article 21 of GDPR which give evidence of the reasons justifying the opposition: The Controller reserves the right to assess your application, which would not be accepted in case of existence of legitimate reasons cogent to proceed with the processing that prevail over your interests, rights and liberties.

Requests must be sent in writing to the Controller or to the DPO at the addresses above indicated.