With this information on the processing of personal data (hereinafter, the “Policy”), BMG Barberino S.r.l. (hereinafter, the “Company” or the “Data Controller”), in its capacity as data controller, wishes to inform its suppliers of goods and/or services and other contractual counterparties in the context of a different business relationship (the “Suppliers”), about the methods and purposes of processing their personal data, in accordance with the European Regulation on the protection of personal data no. 679/2016 (hereinafter, “European Regulation”) and Legislative Decree no. 196/2003, as subsequently amended and supplemented by Legislative Decree 101/2018 (hereinafter, “Privacy Code”).
WHO ARE THE DATA CONTROLLER AND DATA PROCESSOR?
BMG Barberino S.r.l. with registered office in via A. Manzoni 38 – 20121 Milan (MI), VAT no. 05176070489, which can be contacted at the following e-mail address privacy@barberinooutlet.com, is, as the lessor of its commercial spaces, the data controller of the personal data of the Tenants, which takes place in the manner and for the purposes indicated in this Policy. The Data Controller has appointed a Data Protection Officer (“DPO”), who can be contacted at the e-mail address dpo@barberinooutlet.com.
The Data Controller has also appointed Promos S.r.l. – Tax Code/VAT number: 03123920179 – with registered office in Via San Zeno, 173 – 25124 Brescia (BS), which can be contacted at the e-mail address privacy@promosgroup.it, as the Data Processor, as the person responsible for the commercial management of the Outlet, as well as for relations with customers of the same. The Data Processor has also appointed a DPO, who can be reached at the e-mail address dpo@promosgroup.it or by writing to his office, as indicated above.
• TO WHOM DOES THE NOTICE APPLY?
This Policy applies to the Controller’s processing of personal data of: at. Suppliers, if they are individuals or sole proprietorships; and b. legal representatives, shareholders, directors, attorneys, members of the board of statutory auditors, members of the supervisory body, technical directors, other persons with powers of representation and/or management and/or control who are natural persons, as well as employees and collaborators of the Suppliers (hereinafter jointly referred to as the “Data Subjects”).
• WHAT PERSONAL DATA IS PROCESSED?
The Data Controller collects the following types of personal data relating to the Supplier and/or the Data Subject (hereinafter jointly the “Data”) at the time of negotiations and signing of the contract and subsequently in execution of the same:
a. Identification and contact details of the Supplier, such as company name, headquarters, address, any secondary offices, VAT number, tax code of the Supplier, in the event that the Supplier is a natural person or a sole proprietorship;
b. Identification and contact data of the Data Subjects, such as name, surname, and role held, and email address and telephone number;
c. Supplier’s tax data, with particular reference to those relating to the declarations required by applicable legislation (e.g., INPS, INAIL, DURC, DUVRI declarations, etc.);
d. Bank and payment details, including the SDI code for electronic invoicing and the IBAN;
e. Information on the profession or work activity carried out, including the profession, membership of national orders or registers and the role held in the company/institution to which the Data Subject belongs; and
f. Additional personal data relating to the Data Subject that may be collected by the Data Controller during the negotiation phase and/or conclusion and/or execution and/or termination of the contract for the supply of goods and/or services or the different commercial relationship established with the Data Controller
In particular, the Data are collected:
• directly from the Data Subject, where the Provider is a natural person;
• by the organization or entity to which the Data Subject belongs as a partner, employee or person in charge of the Supplier;
• from publicly accessible lists, registers and other sources (for example, in the event that the Data Controller collects the Data on the Supplier’s Chamber of Commerce certificate); and/or
• from databases of subjects that offer information on the commercial reliability of companies and entrepreneurs.
In the event that, for the execution of the contract, the Supplier provides the Data Controller with Data referring to other Data Subjects, the Supplier is required to inform said Data Subjects of the processing of their Data by the Company, providing them with a copy of this Policy. In any case, it is recommended not to provide Data that is not strictly necessary for the pursuit of the purposes referred to in this Policy and, in any case, within the limits of what is requested by the Data Controller.
• FOR WHAT PURPOSES ARE THE DATA PROCESSED?
The Data Controller processes the Data of the Data Subjects for:
a. to carry out negotiations and execute the contract for the supplier of goods and/or services to which the Supplier is a party (hereinafter, the “Contractual Purposes”);
• to comply with the obligations deriving from the applicable legislation, in particular in tax, tax, procurement and anti-money laundering matters, including the execution of mandatory communications to the competent administrations and authorities and to the supervisory bodies, as well as to comply with requests from the same (hereinafter, the “Legal Purposes”);
• verify the security and commercial and financial reliability of its Suppliers and other contractual counterparties, prevent fraud, ensure the soundness of management and the correct execution of commercial relations between the Data Controller and its Suppliers and other contractual counterparties,
• assert and defend its rights, including in the context of debt collection procedures, against the Supplier or third parties in any dispute; and
• carry out activities functional to the sale of companies and business units, acquisitions, mergers, demergers or other transformations and for the execution of such transactions (the purposes referred to in letters c) to e) are jointly defined as the “Purposes of Legitimate Interest”).
• ON WHAT LEGAL BASIS IS THE DATA PROCESSED?
The processing of Data is necessary with reference to the Contractual Purposes and the Legal Purposes, in order to (i) negotiate, stipulate, execute and/or terminate the contract with the Supplier; and (ii) comply with applicable regulations, pursuant to Article 6, letters b) and c) of the European Regulation. Failure to provide Data for these purposes will make it impossible for the Data Controller to enter into the contract with the Supplier.
The processing of Data for the Purposes of Legitimate Interest is carried out pursuant to Article 6, letter f) of the European Regulation for the pursuit of the legitimate interest of the Data Controller, which is fairly balanced with the rights and freedoms of the Data Subjects, as the Data processing activity is limited to what is strictly necessary for the execution of the economic operations and other activities indicated above. Processing for the Purposes of Legitimate Interest is not mandatory and the Data Subject may object to such processing in the manner indicated in paragraph 10 of this Policy, but if the Data Subject objects to such processing, his/her Data may not be used for the Purposes of Legitimate Interest, unless the Company demonstrates the presence of overriding compelling legitimate reasons or the exercise or defence of a right pursuant to Article 21 of the European Regulation.
• HOW IS THE DATA PROCESSED?
The Data is processed both with the aid of IT or automated tools, and on paper, adopting suitable security measures to guarantee the protection and confidentiality of the Data. In particular, the Data Controller adopts appropriate organizational and technical measures to protect the Data in its possession against loss, theft, as well as unauthorized use, disclosure or modification of the Data.
• TO WHOM IS THE DATA COMMUNICATED?
For the purposes referred to in paragraph 4, the following categories of subjects may have access to the Data: a. personnel of the Data Controller or of the subjects indicated below, as persons in charge of processing, within the scope of their respective duties;
b. suppliers of services instrumental to or support those carried out by the Data Controller, including legal, administrative and tax consultants, banking institutions for the management of payments deriving from the execution of the contract with the Supplier, suppliers of technological services;
c. subcontractors and/or subcontractors engaged in activities related to the execution of the contract between the Data Controller and the Supplier;
d. public bodies and/or judicial and/or control authorities whose right of access to the Data is provided for by applicable legislation; and e. other transferees of a company or business unit, companies resulting from possible mergers, demergers or other transformations of the Data Controller.
These subjects act, as the case may be, as independent data controllers or data processors.
The complete and updated list of subjects who process the Data as data processors is available upon request to the Data Controller, by sending a communication to the addresses indicated below in paragraph 10. In any case, the Data will not be disseminated.
8. IS THE DATA TRANSFERRED ABROAD?
The Data is not transferred to countries located outside the European Economic Area. In the event that it becomes necessary to transfer the Data outside the European Economic Area to a third country or an international organization that does not guarantee an adequate level of protection as provided for by the European Commission, the Company will adopt an appropriate mechanism for the transfer and the guarantees required for the purposes of the transfer itself, pursuant to articles 44 et seq. of the European Regulation.
• HOW LONG IS THE DATA STORED?
The Data are stored by the Data Controller for the period of time strictly necessary to pursue the purposes for which such Data were collected.
In particular, with reference to:
a. Contractual Purposes, the Data are stored for a period equal to the duration of the contract (including any renewals) with the Supplier and for 10 years following the termination, termination or withdrawal of the same, except in cases where retention for a subsequent period is required for any disputes, requests from the competent authorities or pursuant to applicable legislation;
b. Legal Purposes, the Data are stored for the duration prescribed for each type of Data by law; c. Purposes of Legitimate Interest, the Data are stored for a period equal to the duration of the contract (including any renewals) with the Supplier and for the following 10 years, in the event that the Data are necessary to protect and enforce the rights of the Data Controller against the Supplier, the Data Subject and/or third parties in the event of any legal disputes.
In the event that the processing is aimed at carrying out activities functional to the sale of business and business unit, acquisitions, mergers, demergers or other transformations, the retention periods listed above will apply with respect to the main processing that takes place. At the end of the retention period, the Data will be deleted or anonymized.
WHAT ARE THE RIGHTS OF THE DATA SUBJECTS?
Without prejudice to the Data Subject’s right not to provide his/her, Data, the Data Subject, at any time and free of charge, may:
a. obtain confirmation of the existence or otherwise of Data concerning him/her;
b. to know the origin of the Data, the purposes of the processing and its methods, as well as the logic applied to the processing carried out by electronic means;
c. request the updating, correction or – if interested – the integration of the Data concerning him/her;
d. obtain the cancellation, transformation into anonymous form or blocking of any Data processed in violation of the law, as well as to object, for legitimate reasons, to the processing;
e. revoke their consent, if previously given;
f. ask the Data Controller to limit the processing of Data concerning him/her in the event that (i) the Data Subject contests the accuracy of the Data, for the period necessary for the Data Controller to verify the accuracy of such Data; (ii) the processing is unlawful and the Data Subject opposes the erasure of the Data and instead requests that its use be limited; (iii) although the Data Controller no longer needs them for the purposes of processing, the Data are necessary for the Data Subject to ascertain, exercise or defend a right in or out of court; (iv) the Data Subject has objected to the processing pursuant to Article 21, paragraph 1, of the European Regulation pending verification of whether the legitimate reasons of the Data Controller prevail over those of the Data Subject;
g. object at any time to the processing of your Data for Purposes of Legitimate Interest; and h. obtain the portability of the Data concerning him/her. The Data Subject will also have the right to lodge a complaint with the Data Protection Authority at the contacts available on the www.garanteprivacy.it website, where the conditions are met.
In the event of the death of the Data Subject, pursuant to Article 2-terdecies of the Privacy Code, the aforementioned rights relating to his/her Data may be exercised by those who have an interest of their own, or act to protect the Data Subject in their capacity as his/her representative, or for family reasons worthy of protection.
The Data Subject may expressly prohibit the exercise of some of the rights listed above by his successors in title by sending a written declaration to the Data Controller in the manner indicated below.
This declaration may be revoked or amended later in the same manner.
In the event of doubts or concerns regarding this Policy or in the event of exercising the rights provided for therein, the Data Subject may contact the Company by writing to the e-mail address privacy@barberinooutlet.com.
CHANGES AND UPDATES TO THE POLICY
This Policy is effective as of the effective date set forth below. However, the Data Controller may make changes and/or additions to this Policy, also because of any subsequent amendments and/or additions to the regulations. In any case, the changes will be notified in advance and the Data Subjects will be able to view the text of the Policy constantly updated on the website https://www.barberinooutlet.com/en/privacy-information/
19/07/2024