Information about processing of personal data in procurement contracts

Within the meaning and for the purposes (i) of EU Regulation 2016/679 on the ‘protection of natural persons with regard to the processing of personal data, and on the free circulation of such data’, the “GDPR”, art.13 and (ii) of Legislative Decree of 30 June 2003, n. 196, the ‘Privacy Code’,  also jointly called ‘Privacy Policy’, some obligations are set forth upon the subjects carrying out the processing – intended as ‘the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’ – of personal data referred to other subjects (The “Processing”). SABO S.p.A. headquartered in Via Caravaggi, Levate (BG) – cap. 24040 (the “ “Company””) wish to inform you, in the following sections, about the modalities and purposes dealing with the processing of your personal data.
  1. Data Controller
  2. The Data Controller is the person who determines the purposes for which and the manner in which personal data are to be processed (the ‘Data Controller’) and is identified in SABO S.p.A. The Data Controller may be contacted by e-mail at the following address
  3. Categories of personal data
  4. Following the contractual relationship, the Data Controller process personal data that you provide or acquired by third party - within the meaning of art.14 GDPR – for purely legal reasons to which the contract refers. The data acquired can be personal identifying data (for ex. Name, surname, phone number, email, bank account) and/or sensitive data pursuant to art. 9 of the GDPR ("personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data aimed at uniquely identifying a natural person, data relating to a person's health or sexual life or sexual orientation") and/or personal data relating to criminal convictions and offences or related security measures, art. 10 GDPR.
  5. Purposes and legal basis of the processing
  6. Within the meaning of the Privacy Policy, the processing of personal data must be legitimised by one of the legal provisions provided by art 6 of the GDPR. These are specifically described for each purpose under which the Data Controller processes your data:
    1. Management of the contractual relationship: the Data Controller shall process your data to reply to your requests, and to fulfil the preliminary requirements for the conclusion of the contract
    2. Legal basis: processing is necessary for the performance of your contract or of the pre-contractual measures adopted upon your request (art. 6 par. 1 letter b of the GDPR). Data storage policy: The data that we collect only for an estimate will be stored for a maximum period of five years. The data processed to perform the contract may be stored for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question.
    3. Fulfilment of legally binding obligations: The Controller processes your data to fulfil any private law, administrative, fiscal, accounting obligation provided by law, a Regulation, the European legislation or by an order of the Authorities deriving from the outstanding relationship with you;
    4. Legal basis: processing is necessary for the performance of your contract (art. 6 par. 1 letter b and of the GDPR) or to fulfil a legal obligation of the Controller (art. 6 par. 1 letter c of the GDPR); processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law (art. 9 par. 2 letter b) of the GDPR), with regard to processing of sensitive data. Data storage policy: The Data may be stored for the period of time necessary to fulfil any legal obligation and, in any case, for the whole duration of the contract and for the subsequent ten years from the end of the fiscal year following the year in question. With specific regard to sensitive data, they will be stored for 2 years after termination of the contract.
    5. Defend the case for the Data Controller’s rights: if necessary, the Controller will provide all the information dealing with you to the Authorities and the bodies responsible for the enforcement of law, regulation or judicial documents, as well as to third parties into formal dispute. The Data Controller reserves the right to process your personal data to defend his or her rights deriving from the Contract before a judge, also for debt collection, directly or by third parties (debt collection agencies/companies), who will receive your data only for these purposes.
    6. Legal basis: processing is necessary for the purposes of the legitimate interest pursued by the controller, in order to defend a right or make further demands on the outstanding commercial relationship, except where such interests are overridden by the interests or fundamental rights (art. 6 par. 1 letter f and art.9 par.2 letter f of the GDPR). Data storage policy: your data may be stored for the necessary period of time in order to allow the Company to take actions or defend against eventual claims towards you or third parties, for the whole duration of the contract and for the subsequent ten years from the end of the procurement contract.  
    7. Promotional activities: in order to promote the core business of the Company, the Controller shall collect personal data pertaining to you (carried out during promotional events) and would share your image on any means of communication, on the Company’s website, on social medias (for instance Facebook) or in the local, national or international newspapers as well as on any other means (existing or to be invented in the future), without any compensation.
    8. Legal basis: you have given your consent as data subject of the processing (art. 6 par. 1 letter a of the GDPR). Data storage policy: data concerning your image will be stored in the controller’s database for twenty-four months. Then, they will be erased, except where they have been shared on the internet, social medias or commercial brochures. You can withdraw consent to the abovementioned processing at any time.
    If the Controller intend to process your data for other purposes than those mentioned above, he or she is required to inform you of these other purposes before performing it.
  7. Nature of consent to data processing
  8. Consent to data processing for letter a), b), c) purposes is compulsory since it is required to perform legal and contractual obligations. Any refusal or successive withdrawal may determine the inability for the Controller to fulfil the outstanding contractual relationship. Instead, consent to data processing for letters d) is optional and the failure to give consent to the processing to those data will determine the inability to carry out the abovementioned activities.
  9. Modalities to process Personal Data
  10. Processing will be carried out by the Company in compliance with the security measures under art. 32 of the GDPR, through manual, information system and computerised tools specifically designed to store, manage and transmit them to pursue only the purposes for which the data were collected and, in any case, to guarantee their security and confidentiality, as well as in full compliance with the principles of fairness, lawfulness and transparency. No automated tools are used by the Controller to process data.
  11. Communication of Data
  12. Access may be granted to:
    1. Controller’s employees and associates in charge and/or internal Processors and/or system administrators;
    2. Supervisory bodies, judicial authorities and all other subjects which by law require such communication in order to achieve these purposes.
  13. Data transfer to a third country or an international organization
  14. Personal data are to be processed within the European Union and stored on servers located in that area. Anyway, if necessary, the Data Controller will have the right to transmit such data to a third country or to an international organisation and / or to move the servers even outside the EU. In this case, the Data Controller ensures that the transfer of non-EU data will be carried out in accordance with the applicable legal provisions under art. 44 and following of the GDPR.
  15. Data subject’s rights
  16. The company informs you that, pursuant to articles 15-22 of the GDPR, you, in relation to your personal data, as Data Subject may exercise specific rights at any time, by contacting the Data Controller, such as:
    1. Access to your personal data and information, i.e. the possibility to get from the Data Controller the confirmation that the processing of personal data is in progress and in this case get access to own personal data;
    2. Without undue delay, rectification of incorrect personal data, as well as the integration of the incomplete data (with an integrative statement);
    3. The erasure of your personal data if (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;, (ii) you withdraw consent on which the processing is based and there is no other legal ground for the processing; (iii) the personal data have been unlawfully processed; (iv) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (v) the data subject objects to the processing pursuant to Article 21subsection 1 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 subsection 2 of the GDPR, (personal data processed for direct marketing purposes).
    4. Right to limitation of processing where the accuracy of personal data is contested (for the period necessary for the Data Controller to verify the accuracy of such personal data) or the processing is unlawful and / or the interested has opposed the Treatment asking for its limitation;
    5. Right to data portability like right to receive from the Data Controller personal data in a structured format, commonly used and readable by an automatic device and to transmit such data to another Data Controller, only for cases where the treatment is based on consent and only for data whose treatment is carried out by automated means;
    6. Right to object without prejudice to the right of the Data Controller to demonstrate the existence of legitimate reasons for proceeding with the Treatment anyway;
    7. Withdrawal of consent at any time, if the treatment is based on your explicit consent, without negative effects on the lawfulness of the treatments carried out until the exercise of the revocation;
    8. Right to lodge a complaint with a supervisory Authority of the Member State in which you reside or habitually work or the state in which the alleged violation occurred without prejudice to any other administrative or judicial appeal, in case of violation of the aforementioned regulation.
    If you need further information on the processing of your personal data and to exercise the above mentioned rights, you can send a written request using the contacts provided in the ‘Data Controller’ section of this statement. If you request more information about your data, the data controller shall respond promptly – unless this proves impossible or involves a manifestly disproportionate effort compared with the right to be protected – and in any case no later than thirty days from the request. The data controller will justify any inability or delay in doing so to meet the request.
    Last update: 2020 october