Customers and Suppliers Privacy Notice

We inform that, for the proper management of a relationship of supply and delivery of products / services, our organization could come into possession and process personal data also of your employees and staff. Accordance with applicable lows on privacy and data protection, i.e. the Italian D.Lgs. 196/2003 and EU Regulation 679/2016 (GDPR), we therefore inform:

1. Data Controller

The data controller is SPICA S.r.l., C.F. e P.I. 07115690963, with headquarter in Castiglione Olona (VA) – Via XXIV Maggio, 1, contact

2. Categories of personal data concerned

To commit a contractual relationship, its execution and the related accounting and administrative activities, it is necessary to process personal data, even when the contract is signed with legal persons.

The personal data processed are:

  • Personal and contact data (eg: e-mail address) of the employees interacting with the staff of our organization;
  • Accounting, fiscal, contractual and economic information of data subjects;
  • Other data possibly detectable to performance of the contract;

Purpose and legal basis for the processing:

Management of the contractual relationship, such as, among others, the fulfillment of specific requests; conclusion, modifications, execution of the contract; use and management of related services; complaints or disputes on the relationship and / or subject of the contract.

Purpose: Correct and profitable management of the contractual relationship

Legal basis: point b) of Article 6(1) GDPR: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.

Administrative and accounting management of services

Purpose: Correct and profitable management of the contractual economic relationship, cash flows and payments.

Legal basis: point f) of Article 6(1) GDPR: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party”.

Mandatory compliance with national and European Union law or by collective agreements in accordance with national law, such as, among others, fulfillment of obligations under EU and national regulations, in particular in the field of health and safety, and for the prevention of crimes (anti-mafia and anti-bribery, D.Lgs. 231/2001).

Purpose: Compliance and governance.

Legal basis: point c) of Article 6(1) GDPR: “processing is necessary for compliance with a legal obligation to which the controller is subject”.

3. Purpose of the treatment

Available in point 2, specified for the different processing activities.

4. Legal basis of the processing

Available in point 2, specified for the different processing activities.

5. Recipients, communication and dissemination of data

The personal data processed for the activities described in point 2 are not disseminated generally, that is, the number and identity of the recipients is not known (e.g. media publication).

Such data may be processed and / or communicated to internal staff and /or external organization, such as:

  • employees authorized to take charge of the requests generated by the processing activities specified in point 2 (eg: responding to communications via e-mail).
  • Suppliers appointed ex. Art. 28 GDPR;

The updated list of Data Processors is available upon request.

6. Transfers outside the EU

There is no transfer of data outside the European Union.

7. Data retention period

The data will be processed for the duration of the contractual relationship and, after its termination, until the limitation period of the rights mutually arising between the parties. In the case of judicial litigation, for the entire duration of the same, and until the final decision is made.

8. Data subject’s rights

The GDPR guarantees (articles 12-22 of EU Regulation 679/2016) the existence of the right of data subject to obtain from the controller access to personal data concerning him, the rectification or erasure or restriction of processing or to oppose their process, in addition to the right to data portability.

The GDPR guarantees, if the processing is based on consent pursuant to point a), of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw without affecting the lawfulness of processing based on consent before its withdrawal;

To exercise his rights, as well as for other information, the data subject may contact the privacy e-mail address indicated in point 1.

If the data subject considers his rights violated, he have the right to lodge a complaint with a supervisory authority.

9. Statutory or contractual requirement to provide data

Data subject is not obliged to provide the personal data but failure to provide them may result in the partial or total impossibility of concluding the contractual relationship.

10. Automated Decision-making

There is no automated decision-making process, including profiling (Article 22 GDPR).

11. Treatment of third party data

The supplier is informed that, if it makes use of its employees or others (including any subcontractors) in executing the contractual relationship, their personal data may be processed by our organization always as data controller. These process have the same purposes, methods and retention times of the data described in this notice; in relation to these treatments, moreover, the third party have the same rights previously described.

The supplier/clients has the duty to properly instruct employees and collaborators on the aforementioned treatments, also by providing them with this information.

Revision date: 01.01.2022

p.p. SPICA S.r.l.