Privacy Policy

PERSONAL DATA PROCESSING POLICY
Pursuant to Articles 13 and 14 EU Regulation 2016/679

Bernardi Impianti s.r.l. respects the persons with whom it comes into contact and treats with care the personal data it uses to carry out its activities.

In confirmation of this commitment and in order to implement the rules that protect the processing of personal data we provide below, pursuant to Articles 13 and 14 of the EU Regulation 2016/679 on the protection of personal data (“Regulation”), the information that allows you to easily and consciously exercise your rights under the current legislation.

Data controller (who decides why and how your data are processed)

Bernardi Impianti s.r.l. with registered office in Via Papa Giovanni XXIII n°12-20058 Zibido San giacomo -MI-, tax code and VAT no. 08272150965, in the person of Elisa Belloli.

Data source (what is the origin of the data processed)

Data are collected directly from the person concerned or from third parties due to legal obligations or contractual requirements, also by consulting databases.

Type of personal data (what data is processed)

The data transmitted by you in relation to your personnel involved in the performance of contracts, including the names of your employees for the management of contracts, telephone numbers, e-mail addresses, any data relating to the verification of the regularity of payroll and social security contributions in the performance of contractual obligations for the provision of services, any data of the legal representatives for the purposes of economic-financial audits (hereinafter “Interested Parties”) – whether provided directly by you or obtained from public sources (e. g. Chambers of Commerce) – will be processed by the Controller, in accordance with the Regulation and national legislation in force, including any measures issued by the Supervisory Authority where applicable. g. Chambers of Commerce) – will be processed by the Data Controller in accordance with the Regulation and the applicable national legislation, including any measures issued by the Supervisory Authority where applicable.

In particular, the Controller mainly processes the following categories of personal data:

• identification and contact data (e.g. name, surname, telephone contact details);
• data concerning entries in registers, rolls and registers;
• images (e.g. photos on identity documents; images recorded by surveillance cameras);
• any other data provided by the supplier.

Purpose (what is the purpose of data processing)

The processing of the Data Subjects’ data is carried out by the Data Controller in the course of its economic and commercial activities for purposes connected with the possible selection, establishment, management and execution of commercial/contractual relations (including the management of the pre-contractual relationship and/or inclusion in the suppliers’ list). In particular, the data will be processed for the fulfilment of legal and regulatory obligations (e.g. tax and accounting obligations, obligations arising from the regulation of contracts and health and safety at work, for the qualification of suppliers); the administrative management of contracts, including the management of invoices and payments; the receipt of goods and/or services at our premises; the management of any litigation, as well as for the purposes of internal audits (safety, productivity, quality of services), management control, certification, and the protection of company assets.

The data of the Interested Parties may also be processed for periodic activities to assess the existence of the ethical and legal requirements established by the Data Controller in its Code of Ethics, as well as to assess the effective application of the Organisational Model pursuant to Legislative Decree no. 231/2001.

Legal basis of processing (conditions of lawfulness of processing)

For the processing of data for the above-mentioned purposes, it is not necessary to obtain the specific consent of the data subjects, as the Data Controller may avail itself of the exemptions set out in Art. 6.1 b) (processing is necessary for the performance of a contract to which the data subject is party), c) (processing is necessary for compliance with a legal obligation to which the data controller is subject) and f) (processing is necessary for the pursuit of the legitimate interests of the data controller or a third party) of the Regulation.

The legitimate interests that may justify the processing of personal data are those of the data controller or of third parties relating to the management of contractual or pre-contractual relations at any stage of the relationship.

Necessity to provide data (what refusal to provide data entails)

The provision of data is compulsory only for data whose processing is required by law.
However, the provision of the Data Subjects’ data is necessary and, without it, it will not be possible to establish any business relationship, to properly perform pre-contractual and contractual obligations or, where a contractual relationship has already been established, to fulfil the obligations and commitments arising from that contract.

Method of processing (how the data are processed)

The data will be processed by the Data Controller and its appointees mainly by means of electronic and manual systems in accordance with the principles of fairness, loyalty and transparency laid down in the applicable legislation on the protection of personal data and by protecting the confidentiality of the person to whom the data refer by means of technical and organisational security measures to ensure an adequate level of security (e.g. preventing access to unauthorised persons except in cases required by law, or the ability to restore access to the data in the event of physical or technical incidents).

Categories of recipients (to whom the data are disclosed)

Personal data are not disclosed to unspecified third parties but, in order to achieve the purposes indicated, they may be communicated to specific categories of recipients, including employees and collaborators – in any event appointed as persons authorised to process personal data under the direct authority of the Data Controller -, third-party companies that process data on behalf of the Data Controller and in their capacity as Data Processors, other public or private entities with respect to which the communication of data is mandatory, as well as any entities that qualify as autonomous Data Controllers.

Data subjects’ data are not transferred outside the European Union.

Rights (what rights can be exercised)

The Data Subject may exercise, in relation to the data processing described herein, the rights provided for in the Regulation (Articles 15-21), including:

• receive confirmation of the existence of your personal data and access to their content (access rights);
• update, amend and/or correct your personal data (right of rectification);
• request the deletion or restriction of data processed in breach of the law, including data whose storage is not necessary in relation to the purposes for which the data were collected or otherwise processed (right to be forgotten and right to restriction);
• object to the processing (right to object);
• revoke the consent given, where the processing is carried out on the basis thereof, without prejudice to the lawfulness of the processing based on the consent given before revocation;
• lodge a complaint with the Supervisory Authority in the event of a breach of data protection regulations;
• to receive a copy of the data in electronic format concerning him/her that was rendered in the context of the contract and to request that such data be transmitted to another data controller (right to data portability).

To exercise these rights and request data portability, please contact Bernardi Impianti SRL in the person of Belloli Elisa.

Data retention (how long data are kept)

The data will be stored in compliance with applicable data protection regulations for as long as is necessary to fulfil the above-mentioned purposes, i.e. 10 years in the case of data acquired in the supplier selection process if the outcome is negative, or 10 years after the successful conclusion of the selection process if no other assignment is made within this timeframe. In the case of a contractual relationship, only personal data functional to the fulfilment of civil and tax obligations will be retained for the duration of the contractual relationship and in compliance with these obligations (e.g. civil obligation to retain invoices and company documents for at least 10 years).