DATA CONTROLLER

Gi Group Holding S.p.A.

with registered office in Piazza IV Novembre 5, 20124 Milan

telephone number 02444111, e-mail address: it.privacy@gigroupholding.com (‘Company’)

DATA PROTECTION OFFICER

Piazza IV Novembre 5, 20124 Milan, to the attention of the Data Protection Officer

e-mail address: dpo@gigroup.com

CATEGORIES OF DATA PROCESSED

Personal data’ means data relating to natural persons processed by the Company, including the names, contact information, etc. of the supplier natural person or the legal representative, employees, consultants and other persons working for the supplier legal person (who signs the contract).

WHY YOUR PERSONAL DATA ARE PROCESSED, AND WHAT IS THE CONDITION THAT MAKES THE TREATMENT LAWFUL? IS THE PROVISION OF DATA COMPULSORY? HOW LONG DO WE KEEP YOUR PERSONAL DATA?

1. Establishment and execution of the contractual relationship:

contractual fulfilment and execution of operations arising from the contract;

administrative and operational management of the relationship;

profile management on the supplier portal.

The legal basis legitimising the processing of your data and that of your legal representative is the performance of the contract ex Art. 6 (1)(b) GDPR.

The legal basis legitimising the processing of the data of its employees/consultants, who are involved in the activities referred to in the contract, is the performance of the contract ex Art. 6 (1)(b) GDPR.

The provision of data is mandatory for the achievement of the purposes listed above; therefore, any refusal to provide data does not allow the Controller to fulfil its contractual obligations. We keep your personal data for the duration of the contract and, after termination, for 10 years.

2. Administrative-accounting tasks and fulfilment of legal obligations:

fulfilment of accounting or tax obligations;

invoicing.

The legal basis for the processing is the fulfilment of a legal obligation under Article 6 (1)(c) GDPR.

The provision of data is obligatory for the achievement of the purposes listed above; therefore, refusal to provide data does not allow the Controller to fulfil its legal obligations. We keep your personal data for the retention periods provided for by the individual and specific laws applicable to the processing carried out for such purposes.

3. Management of disputes with suppliers

establishment, exercise or defence of a right in extrajudicial and/or judicial settlement, where necessary by the data controller.

The legal basis legitimising the processing is the legitimate interest of the Controller pursuant to Article 6 (1)(f) GDPR. We keep your personal data for the entire duration of the out-of-court and/or judicial proceedings, until the exhaustion of the time limits for judicial remedies and/or appeal actions.

After the above-mentioned retention periods have expired, personal data will be destroyed, deleted or anonymised, subject to technical deletion and backup procedures.

RECIPIENTS OF DATA

Personal data may only be processed by employees of the company departments authorised to process them, insofar as they are assigned to the pursuit of the aforementioned purposes. These employees have received adequate operational instructions in this regard.

Personal data may be disclosed by the Company to the following parties:

• audit firm;
• supervisory body;
• professional and consulting firms;
• insurance companies;
• Internal Revenue Service;
• Bilateral industry body;
• Business information companies;
• Group companies in Italy or abroad;
• Banking institutions.
• Personal data may also be processed by other external parties, expressly appointed as data processors, who provide the Company:
• Supplier database management and maintenance services;
• Archiving services;
• Communication mailing services;
• Collection and payment management services.

The updated list of recipients is available at our head office or by sending an e-mail to it.privacy@gigroupholding.com.

RIGHTS OF THE DATA SUBJECT

Data subjects may ask the Data Controller for access to the data, their deletion, the rectification of inaccurate data, the integration of incomplete data, as well as the restriction of processing in the cases provided for in Article 18 of the GDPR.

Data subjects have the right to object, at any time, in whole or in part, to the processing of data necessary for the legitimate pursuit of the data controller’s interest.

Furthermore, in the event that the conditions for exercising the right to portability under Article 20 of the GDPR are met, data subjects have the right to receive the data provided to the Data Controller in a structured, commonly used and machine-readable format, as well as, if technically feasible, to transmit it to another data controller without hindrance.

These rights may be exercised by writing by post to the above address, or by e-mail to the following e-mail address: it.privacy@gigroupholding.com. It is understood that where the request is made by electronic means, the information will be provided in a commonly used electronic format.

Data subjects have the right to lodge a complaint with the competent supervisory authority (in particular in the Member State where they habitually reside or work or in the State where the alleged infringement occurred).