information notice for customers suppliers
LE OFFICINE RIUNITE - UDINE S.P.A. wishes to inform you that Regulation (EU) 2016/679 ("GDPR") provides new rules on the Processing of personal data, ensuring the protection of persons and other subjects.
Article 5 of the GDPR provides that such Processing must be based on the principles of lawfulness, correctness, transparency and the protection of confidentiality and rights.
Pursuant to Article 13 of the GDPR we therefore provide the following information:
The Data Controller is LE OFFICINE RIUNITE - UDINE S.P.A., with registered office in VIA S. CATERINA 35, 33030 Basaldella di Campoformido (Udine), Italy, who can be contacted by e-mail at or by telephone at +39 0432 563911.
DATA PROTECTION OFFICER (DPO)
In conformity with GDPR Articles 37 and following, the Company’s Data Protection Officer is PRATIKA S.R.L. (contact person Ilaria Galante), with offices at Via Carnia 1, Rodeano Alto, Rive D'Arcano (Udine), Italy.
PERSONAL DATA PROCESSED
By the term Data we mean the information related to individuals and processed by our Company for the stipulation and execution of the contractual relationship with its customers/suppliers, such as information concerning the legal representative that signs the contract in the name and on behalf of the customers/suppliers, as well as employees/consultants of the customer/supplier involved in the contractual activities.
Data pertaining to special categories of information may also be processed in accordance with the provisions of regulations on workplace health and safety. The Data may also include any judicial data contained in public databases.
PURPOSES OF THE PROCESSING
Purposes connected with the establishment and execution of the contractual relationship between our Company and its customer/supplier;
Fulfilment of administrative-accounting requirements;
Fulfilment of obligations provided for by law or regulation, by European Community legislation, or by the order of a public Authority;
Ascertaining, exercising and/or defending the Company's rights in court.
PERIOD OF DATA STORAGE
The data will be stored for the duration of the contractual relationship and subsequently for 10 years, or as otherwise provided by law in force at that time, without prejudice to longer or specific periods provided for by laws and regulations applicable in the sector or useful for any defence of the Company in court. In the event of legal disputes, the data will be stored for the entire duration of such disputes and until the time limit for appeals has been exhausted.
Once the above-mentioned storage terms have expired, the data will be destroyed, erased or made anonymous, according to the technical procedures of erasure and backup that are current at that time.
LEGAL BASIS OF THE PROCESSING
The processing activities are necessary for the execution of a contract, or are necessary to fulfil a legal obligation to which the data controller is subject. At any time, the interested party may ask the Data Controller to clarify the objective legal basis for the processing of their data.
PROVISION OF DATA
The provision of Data is obligatory, as it is strictly necessary in order to carry out the above-mentioned purposes; therefore, failure to provide data will make it impossible to carry out and achieve these purposes.
The Data may be communicated to external subjects operating as autonomous Data Controllers or Data Processors appointed by the Data Controller pursuant to Article 28 of the GDPR. These include, by way of example: Public Bodies, Public Authorities, Consultants and service providers in various capacities.
At any time, the complete list of Data Recipients and Data Processors appointed by the Data Controller can be requested from the registered office of the Data Controller.
PERSONS AUTHORIZED TO PROCESS DATA
The Data may be processed by employees of the company departments responsible for pursuing the above-mentioned purposes, who have been expressly authorized to do so and have received adequate operating instructions.
TRANSFER OF PERSONAL DATA
Pursuant to GDPR Articles 44 and following, some of the Subject’s personal data may be communicated to recipients and Processors (the latter duly appointed by the Data Controller) based in non-European Third Countries, always according to principles of lawfulness, fairness, transparency and protection of the data subject’s confidentiality.
RIGHTS OF THE INTERESTED PARTY; LODGING A COMPLAINT
With regard to personal data, the interested party may exercise the rights provided for in GDPR Articles 15 and following, including:
Right of access (Article 15) – the right to obtain confirmation from the Data Controller on the existence of processing of personal data concerning themselves, and, in the case that such processing exists, to obtain access to the data and to certain information regarding these (explained in more detail in GDPR Article 15). Right to rectification (Article 16) – the right of the interested party to modify their data if they are inaccurate. Right to erasure (Article 17) – the right of the interested party to cancel their data in the possession of the data controller when, for example, the consent to treatment is revoked, or the purpose pursued has been reached, or when it is unlawful; obviously it may not always be possible to fulfil the request for cancellation, for example when the data are needed to fulfil a legal obligation or are necessary for the defence of a right in court. Right to object (Article 21) – the right to object to the processing is granted when the legal basis of the objection is a legitimate interest of the data subject or the performance of a task of public interest; this right too has limits, as there may be cases where the legitimate interest of the data controller prevails over that of the data subject (in which case it will be fundamental to establish the right balance), or the treatment is necessary for a task of public interest or the establishment, defence or exercise of a right in court. Right to data portability (Article 20) - where processing is based on contract or consent, the data subject may request the provision of their personal data in a structured and machine-readable format (json, xml, csv); this right applies only to data provided spontaneously, and not to inferred or derived data. Right of revocation (Article 7) - in the event of signing any form of consent to the processing required by the Data Controller, the interested party may revoke such consent at any time, without limiting any obligations stipulated by the laws in force at the time of the requested revocation.
The data subject has the right to lodge a complaint with the competent supervisory Authority in the European Union member State in which they normally reside or work, or in the State in which the alleged infringement took place.
All of the aforementioned rights may be exercised by sending a request to the Data Controller through the contact channels indicated in this notice.