GENERAL INFORMATION
Customers/suppliers and their representatives (hereinafter referred to as “data subjects”, as per Art. 4, par. 1 of the GDPR) are informed that the professional relationships established with the Data Controller may involve the processing of personal data, in accordance with the following general principles:
• All data is processed lawfully, fairly and transparently, in accordance with the general principles set out in Art. 5 of the GDPR;
• Specific security measures are in place to prevent data loss, unlawful or improper use, and unauthorized access;
• The Data Controller is Compagnia Generale Ripreseaeree Spa, Via Cremonese 35/A, 43121 Parma, email: privacy@cgrspa.com;
• Data subjects may contact the Data Controller to exercise their rights under Articles 15–21 of the GDPR (including the right of access, rectification, erasure, restriction, portability, objection), withdraw previously given consent, or lodge a complaint with the competent Data Protection Authority.
PURPOSE AND LEGAL BASIS FOR PROCESSING
The Data Controller processes personal identification data of customers/suppliers (e.g. name, surname, company name, personal/tax data, address, phone number, email, banking and payment details) and their operational contacts (e.g. name, surname, contact details) acquired and used in the provision of its services. Data is processed for the following purposes:
• Establishing contractual/professional relationships;
• Fulfilling pre-contractual, contractual, and tax obligations related to existing relationships, and managing related communications;
• Complying with legal, regulatory, or EU obligations, or with orders from Authorities;
• Pursuing the legitimate interests or rights of the Data Controller (e.g. legal defense, credit protection, internal operational, management, and accounting needs). Failure to provide the required data will prevent the establishment of a relationship with the Data Controller. The above purposes represent suitable legal bases under Art. 6, paragraphs b, c, and f of the GDPR. If data is processed for other purposes, specific consent will be requested from data subjects.
METHOD OF PROCESSING
Data is processed in accordance with Art. 4, no. 2 of the GDPR, including: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, restriction, communication, erasure, and destruction. Processing may be carried out on paper or by electronic/automated means. Data will be retained for as long as necessary to fulfill the purposes for which it was collected and to meet legal obligations.
SCOPE OF PROCESSING
Data is processed by internal staff who are properly authorized and trained in accordance with Art. 29 of the GDPR. The scope of data disclosure may be requested to identify external entities acting as Data Processors or independent Controllers (e.g. consultants, technicians, banks, carriers). Personal data may also be shared between companies within the same Group. Data will not be publicly disclosed or transferred outside the EU. In the context of tenders/contracts or compliance with legal obligations (e.g. joint liability, anti-corruption, anti-mafia, anti-money laundering), if the Controller needs to process personal data of employees of clients/suppliers, the parties agree that the Controller will be authorized to process such data as an External Processor (Art. 28 GDPR) or as an Authorized Party (Art. 29 GDPR). In such cases, the Controller undertakes to process the data in compliance with GDPR requirements and to disclose it to third parties only when legally required.