PERSONAL DATA PROCESSING NOTICE : CUSTOMERS AND SUPPLIERS

For the purposes of the GDPR (EU Regulation 2016/679 on the Protection of Personal Data, hereinafter only “GDPR“), the following information is provided, consistent with the principle of transparency, to make you aware, as a data subject in the capacity of contact persons of qualified legal entity and i.e. individuals representing or acting on behalf of a certain company, of the characteristics and methods of the processing of personal data provided by you ( hereinafter You or Customers/Suppliers) for the purpose of the performance of the contractual relationship entered into with us.
With this Privacy Notice (hereafter the Notice) we would like to clearly explain the reasons why we collect and process your data, so that you can make your choices, in privacy matters, in an informed manner. You will always have the right to change your privacy choices, to obtain the information you want about the use of your personal data, and to object, on legitimate grounds, to its processing. For any clarifications, requests or to exercise your rights, you may contact us at the contact details given in the paragraph below.

Data Controller

UNGUESS S.r.l., an Italian company with registered office at Via del Chiesotto n.4 near Cremona, VAT and tax code 01603290196 (hereinafter also UNGUESS, the “Owner” or the “Company” for brevity). E-mail address: legal@unguess.io, to be contacted for any clarification in relation to this policy and the processing of your personal data.

Contribution of Data and consequences in case of non consent to processing.

This information is to be understood as an integral part of the contractual relationship entered into with you and the provision of your Data is obligatory in nature, as it is strictly necessary for the purposes of the execution of pre-contractual and contractual measures taken at your request, for the execution of the contract as well as for the fulfillment of obligations related thereto to which UNGUESS is subject. Failure to provide even part of your Data entails.
The objective impossibility of fulfilling your request.

Processing and category of data processed

The processing will be carried out by UNGUESS as Data Controller for purposes related to the relevant contractual relationship, using electronic and manual means. Personal data subject to processing may include contact data such as biographical data, other identifying data (e.g., e-mail address, telephone number, bank references), and any personal data that you will have disclosed or that you will disclose for the performance of the contractual relationship (hereinafter, the “Data”).

In the event that, in the performance of the contractual relationship, you disclose to the Data Controller (in a non-anonymized or non-pseudonymized manner) Data of other parties (for example: employees or collaborators of the legal entity represented by you), you declare and guarantee that you will legitimately and in accordance with the GDPR process all such personal data, also declaring that you have already provided the data subjects with adequate Information Notice, in which the possibility of providing personal data to third party companies is expressed and that you have obtained any necessary consents for the purpose. Otherwise, and, therefore, in the event that with this Notice you are unable to cover the processing of Data of other parties involved, the Data Controller and you reserve the right to regulate any privacy scenario configured with appropriate supporting documentation ( with, by way of example and not limited to, the DPA).

Purpose And Legal Basis Of Treatment.

Your personal data will be processed in accordance with Article 6, letters b, c, f, GDPR, for the following purposes:

• Establishment and conduct of the contractual relationship and related activities.
• Purposes administrative, accounting, fiscal and of secretariat, including in
  fulfillment of legal obligations.
• Comply with the provisions of laws and regulations (national or community), or execute an order of judicial authorities or supervisory bodies to which the Holder and/or Co-owner is subject.
• Exercise the rights of the Owner and/or Co-owner arising from the supply contract, in particularly that of defense in court.

The legal basis of the Processing is represented by the established contractual relationship and we remind you that the provision of data for the purposes mentioned above is mandatory. The absence of the data and/or the eventual express refusal to process it will result in the impossibility for the Holder to carry out its contractual obligations or the possible violation of requests from the competent Authorities.

Possible Recipients of Personal Data

The Data will be processed exclusively for the Permitted Purposes and by individuals specifically authorized by the Data Controller, as employees or collaborators (the “Data Processors”). Your Data may also be processed for the Permitted Purposes by agents, consultants (legal, tax, IT), banking institutions (for payment of fees), postal service companies and forwarding agents, service providers, public administrations (in fulfillment of legal obligations). The full list of recipients of your Personal Data can be provided upon simple request.

Retention Period of Personal Data Processed

The Data shall be kept for the period necessary to comply with legal obligations (including those related to storage) and to pursue the Permitted Purposes, in any case within the statute of limitations provided for the rights and obligations arising from the contractual relationship established with You.

Transferring Data Outside the European Union

The Data Controller, where necessary, may reserve the right to transfer your Data, in pursuit of the Permitted Purposes, to entities located in countries outside the EU. In this case, the Data Controller must assure you in advance that such transfer of Data will take place in accordance with applicable legal requirements.

The Rights of the Data Subject for the Processing of Data

Pursuant to data protection legislation (Articles 15-22 of the Regulations), you are granted the following rights in relation to the processing of personal data:

• Right of access – To obtain confirmation as to whether or not Data concerning you is being processed and, if so, to receive information with respect to, but not limited to: purposes of processing, categories of personal data processed and period of storage, recipients to whom the data may be disclosed (Article 15, GDPR);
• Right of rectification – To obtain, without undue delay, the rectification of inaccurate Data concerning you and the supplementation of incomplete Personal Data (Article 16, GDPR);
• Right to Deletion – Obtain, without undue delay, the deletion of Data concerning
  you, in cases provided for by the GDPR (Article 17, GDPR);
• Right of Limitation – Obtain from the Data Controller the limitation of processing, in the cases provided for by the GDPR (Article 18, GDPR);
• Right to portability – To receive, in a structured, commonly used, machine-readable format, Data about you provided to the Data Controller, and to Obtain that the same be transmitted to another owner without hindrance, in the cases provided for by the GDPR (Article 20, GDPR);
• Right to object – Object to the processing of personal data about you, unless there are legitimate grounds for the Controller to continue processing (Article 21, GDPR);
• Right to Complain to the Supervisory Authority – Complain to the Italian Data Protection Authority, Piazza di Monte Citorio n. 121 – 00186, Rome, Fax: (+39) 06.69677.3785, protocollo@pec.gpdp.it.

General modalities applied for the Treatment

The processing of Data is carried out by means of the operations indicated in Article 4, No. 2, GDPR, performed with or without the aid of computer systems, namely: collection, recording, organization, structuring, updating, storage, adaptation or modification, extraction and analysis, consultation, use, communication by transmission, comparison, interconnection, limitation, deletion or destruction of Data.

The Owner undertakes, as of now, to keep the Data and information received for the purpose of the execution of the contract confidential and to take appropriate measures to ensure adequate protection of the same, ensuring the necessary confidentiality and privacy regarding their content. The obligations of confidentiality just mentioned will take effect even beyond the date on which the contract ceases to be effective.

In accordance with the provisions of Article 32, GDPR, taking into account the nature, subject matter, context and purposes of the processing, the Data Controller and the Client/Supplier mutually declare that they have put in place appropriate technical and organizational measures, including with respect to the particular categories of Data referred to in Articles 9 and 10, GDPR, to ensure a level of security appropriate to the risk, which include but are not limited to: – pseudonymization and encryption of Data; – the ability to ensure on a permanent basis the confidentiality, integrity, availability, and resilience of processing systems and services; – the ability to promptly restore the availability and access of Data in the event of a physical or technical incident; – adopting a procedure to regularly test, verify, and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

The Owner and the Client/Supplier will be responsible for the protection of their own computer system.