Information Notice on the Processing of Suppliers’ Personal Data

Pursuant to Articles 13 and 14 of EU Regulation 2016/679

1. DATA CONTROLLER and CONTACT DETAILS
   The Data Controller for Personal Data is F.C.R. – Filtrazione Condizionamento Riscaldamento S.p.A
   Registered Office: Corso Vittorio Emanuele II, 15 – Milano (MI)
   Administrative Office: Via E. Fermi 3 – Cinisello Balsamo (MI)
   Company Contacts: e-mail fcr@fcr.it – phone 02.61798.1; Privacy e-mail: privacy@fcr.it
   
   
2. PERSONAL DATA SUBJECT TO PROCESSING
   Within the scope of contractual relationships and related management activities, the Controller may process the following categories of personal data:
   • Supplier’s biographical and identifying data: Company name, tax code, VAT number, legal and/or operational address, telephone and electronic contacts (e-mail, certified e-mail (PEC)), bank details (IBAN), etc.
   • Data of relevant company personnel: Name, surname, role, e-mail and telephone contacts, if necessary for the management of the contractual relationship
   • Professional’s data (in the case of individual supply, consultancy, or work performance by a sales agent): Identifying and contact data, relevant curricular information, details of professional insurance coverage, university degrees and/or specializations, qualifications
   • Data of the supplier’s personnel employed under contract: Identifying, biographical, and potentially economic data, if the processing is necessary for purposes of health and safety in the workplace pursuant to art. 26 of Legislative Decree 81/08 and subsequent amendments
   • Technical Data: In the case of IT suppliers and/or those responsible for managing digital systems and infrastructure, access logs, authentication identifiers, technical traces, and information relating to the activity carried out on company systems may also be processed, if relevant for purposes of IT security, incident management, and auditing
     
     
3. PURPOSES AND LEGAL BASES
   Personal data will be processed by the Controller for the following purposes, according to the corresponding legal bases provided by Regulation (EU) 2016/679:
   • Execution of the contract
     Processing necessary for the performance of a contract to which the data subject is party (art. 6, par. 1, letter b GDPR), specifically for:
     • managing the contractual terms signed with the supplier
     • verifying the actual provision and quality of the agreed services or supplies
   • Fulfillment of legal obligations
     Processing necessary for compliance with obligations required by current regulations (art. 6, par. 1, letter c GDPR), specifically:
     • to fulfill tax, accounting, administrative, and regulatory obligations related to the service received
     • to comply with obligations regarding health and safety at work, where required
   • Legitimate interest of the Controller
     Processing necessary for the pursuit of the legitimate interest of the Controller (art. 6, par. 1, letter f GDPR), including:
     • protecting its rights in the event of disputes or complaints;
     • monitoring the supplier’s performance and the services rendered, with a view to ensuring adequate quality standards;
     • guaranteeing the security of IT infrastructures and systems, also through logging, access tracking, incident management, and analysis of anomalies or non-compliant behavior
       
       
4. SCOPE OF COMMUNICATION AND RECIPIENTS
   Data will be communicated to the minimum extent necessary to achieve the purposes, based on applicable legislation and/or a contractual agreement with the Controller, to:
   • Internal personnel authorized to process data for:
     • technical, commercial, and administrative services;
     • verification and supervisory activities (e.g., activities of the Supervisory Body – ODV and internal audits aimed at maintaining and improving management systems).
   • Service providers related and/or consequential to the agreed services, acting as Data Processors, such as:
     • industry professionals
     • companies appointed for the maintenance of information systems and software
     • companies appointed to provide administrative, organizational, and legal consultancy
     • Head of the Prevention and Protection Service
     • consulting firms regarding health and safety in the workplace during contract activities pursuant to art. 26 of Legislative Decree 81/08 and subsequent amendments;
     • group companies that provide auxiliary and support services
   • Third parties operating as Autonomous Data Controllers, such as:
     • public authorities, to the extent required by applicable law or their orders, or for the exercise, ascertainment, and/or defense of a right in court;
     • banks, any insurance companies, certification bodies, etc., that provide auxiliary support services
       
       4 bis. SUPPLIER’S DISCLOSURE OBLIGATION REGARDING PERSONAL DATA PROTECTION
       The supplier undertakes to promptly notify the Data Controller of any event relevant to the protection of personal data, including: contractual changes that impact data processing; anomalies, critical issues, or non-compliance found in the provision of services; reports of complaints, privacy incidents, or data breaches; changes in sub-suppliers involved in the processing. These communications must be addressed to the Data Controller at the contacts indicated in this notice
       
       
5. NATURE OF DATA PROVISION AND CONSEQUENCES OF REFUSAL TO PROVIDE IT
   The provision of personal data is necessary for pre-contractual measures, the conclusion, and the proper execution of the contract; any refusal to provide the requested Personal Data will make it impossible to initiate or continue the commercial or professional relationship and the activities foreseen within it
   
   
6. DATA DISSEMINATION
   The data will not be subject to dissemination, except in cases provided for by law or necessary for the exercise of a right. No entirely automated decision-making process is envisaged. However, in relation to IT suppliers, technical monitoring tools may be activated for IT security and incident prevention purposes
   
   
7. SOURCES
   The data subject to Processing may be acquired through a reference person of the Supplier, subsequent transmissions, and transactions following the order
   
   
8. DATA TRANSFERS TO THIRD COUNTRIES
   The management and storage of personal data take place on servers located within Italian territory, including through cloud services located in the European Community. The personal data provided will not be transferred to third countries, i.e., outside the European Union or the European Economic Area. Any future need for transfer to third countries will be subject to prior notice to the data subject and will occur exclusively in compliance with the conditions of lawfulness provided for by articles 44 et seq. of Regulation (EU) 2016/679 (GDPR)
   
   
9. DATA RETENTION PERIOD
   The Personal Data will be processed for the time necessary to fulfill the above-mentioned purposes, in particular, administrative documentation and supporting documentation will be kept for at least ten years from their issuance, unless specific regulatory obligations impose longer retention periods
   
   
10. RIGHTS OF THE FATA SUBJECT
    Within the limits of applicable legislation and pursuant to articles 15 et seq. of Regulation (EU) 2016/679, the data subject has the right to access their personal data, request its rectification or erasure, object to its processing, request restriction of processing, and obtain the data concerning them in a structured, commonly used, and machine-readable format. Requests can be addressed to the Data Controller at the address privacy@fcr.it and will receive a response within 30 days of receipt, which may be extended by an additional 30 days in case of particular complexity, pursuant to art. 12, par. 3 of Regulation (EU) 2016/679. Where applicable, the data subject also has the right to lodge a complaint with the Garante per la protezione dei dati personali (Italian Data Protection Authority) or to appeal to the cnt courts