PRIVACY POLICY OF SUPPLIERS
PRIVACY POLICY FOR THE PROCESSING OF SUPPLIERS’ PERSONAL DATA PURSUANT TO ARTICLE 13 OF THE EU REGULATION 2016/679 (HEREINAFTER “GDPR”) ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA
IG Operation and Maintenance S.p.A. with registered office in Via Campobello n. 1 – 00071 Pomezia (RM), VAT no.
12131261005, (hereinafter referred to as the “Data Controller”), as Data Controller, hereby informs you that the
personal data acquired with reference to the established relationships will be processed in compliance with the
above-mentioned regulations.
The owner can be contacted at the following e-mail address: privacy@igomspa.it.
1. Description of processing: data categories, purposes and legal bases
The Data Controller processes your personal data and/or those of your contact persons; your so -called identification
data (name, surname, tax code, VAT number), your so-called contact data (e-mail, telephone number, address of
residence or registered office) as well as your bank data (IBAN code) will be processed.
Your personal data are processed for the following purposes:
• Requesting quotations and conducting negotiations;
• Management of supplier qualification;
• Signing, execution and renewal of the Contract;
• Making payments.
The processing of data for the above-mentioned purposes is necessary for the management of pre-contractual
activities and for the execution of the contractual relationship established with the Data Controller; therefore, the legal
basis can be found in Article 6(1)(b) GDPR. Specifically, the processing is necessary to perform the pre-contractual
measures necessary for the signing of the Contract as well as for the execution of the Contract itself. In addition, the
processing of the aforementioned data is necessary to comply with legal obligations; therefore, the legal basis can
also be found in Article 6(1)(c) GDPR.
The Data Controller may also process images acquired by means of video surveillance systems installed at its
premises. The purpose of installing video-surveillance systems is to protect the company’s assets and the safety of
staff and visitors. The legal basis legitimising the processing of images acquired by means of video surveillance
systems lies in Art. 6(1)(f). The processing is carried out to pursue a legitimate interest of the Data Controller or of a
possible third party, i.e., the protection of people and property against possible aggression, theft, robbery, damage,
vandalism, or purposes of fire prevention or work safety.
In the context of procurement contracts, personal data referring to the supplier’s employees and collaborators,
necessary for the operational and administrative management of the contracts, including fulfilments related to health
and safety in the workplace, such as health suitability certifications, training certificates, roles held in safety matters
(e.g. RSPP, fire-fighting and first aid officers) and any other document required by the regulations in force on the
subject, will also be processed. The legal bases that make the processing legitimate are the fulfilment of pre-
contractual and contractual obligations related to the supply and contract relationship (Art. 6(1)(b) GDPR) and the
fulfilment of obligations required by law or regulations (Art. 6(1)(c) GDPR). In addition, the processing of data relating
to health (e.g. any data relating to states of accident or illness) is based on Art. 9(2)(b) GDPR as it is necessary to
fulfil the obligations and exercise the Data Controller’s specific rights in the field of labour law and safety and security.
The Data Controller may process the aforementioned personal data for the purposes of legal defence, if the
conditions are met. The legal basis legitimising the processing of such personal data, which may also include data
belonging to special categories or judicial data, lies in Article 9(2)(f) GDPR – processing is necessary for the
establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity – and in
Article 10 GDPR in correlation with Article 2-octies(3)(e) of the Privacy Code (Legislative Decree no. 196/2003) – the
ascertainment, exercise or defence of a right in a court of law.
Lastly, we would like to inform you that IG O&M S.p.A. has set up a reporting channel for the management of
whistleblowing reports. The information concerning the processing that may result from the management of a
5whistleblowing report is available in the dedicated section of the Data Controller’s website, to which reference should
be made in full.
The data described in the preceding points may be processed internally within the Company for the purpose of
carrying out internal checks and audits as part of the renewal and/or acquisition of existing certification
standards or as part of the activities performed by the Supervisory Board pursuant to Legislative Decree No.
231/2001. The legal basis legitimising the processing of such personal data lies in the legal obligation set forth in Art.
6(1)(c) GDPR.
Data relating to criminal convictions and offences may be processed, where required by the specific nature of the
case, in the context of participation in tenders and contracts and/or in updating the Client’s supplier portal. In
these cases, the legal basis legitimising the processing of such data lies in Art. 10 GDPR, in correlation with Art. 2-
octies, c. 3, lett. c) – the verification or ascertainment of the requisites of honourableness, subjective requisites and
disqualification prerequisites in the cases provided for by laws or regulations – h) – the fulfilment of obligations
provided for by legal provisions on anti-mafia communications and information or on the prevention of mafia-type
delinquency and other serious forms of social dangerousness in the cases provided for by laws or regulations, or for
the production of the documentation required by law to participate in tenders – and i) – the verification of the
requirement of moral suitability of those who intend to participate in tenders, in compliance with the provisions of the
current regulations on tenders – of the Privacy Code (Legislative Decree no. 196/2003).
Lastly, it should be noted that the Controller may process personal data in order to allow the supplier access (where
foreseen due to the subject matter of the Contract) to the sites of the Data Controller’s Customers and the
issuing, where required, of the access card. In these cases, in addition to the data described above such as name,
surname, date and place of birth, social security number, data included in identity documents or residence permits
of the supplier and its contact persons, as well as the vehicle registration number and type of vehicle used to access
the areas and images of the person concerned may also be processed. The aforementioned personal data are
processed within the framework of the contractual relationship with IG O&M in order to enable the latter to operate
and gain access, also by means of the creation of the vehicle card and the private vehicle pass, at the sites of the
Data Controller’s Customers. The legal basis legitimising the processing of such personal data lies in the
implementation of fulfilments relating to contractual obligations pursuant to art. 6 letter b) GDPR that IG O&M is
obliged to comply with vis-à-vis the Customers, who must, in turn, fulfil corresponding legal obligations.
2. Nature of the data
The provision of your personal data referred to in the preceding points is mandatory, therefore, any refusal may result
in the non-execution and/or partial execution of the contract and/or continuation of the relationship.
3. How we handle your personal info
The processing of your personal data is carried out by means of the operations indicated in Article 4, no. 2 GDPR
and precisely: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction.
The processing of your personal data will be based on the principles of correctness, lawfulness and transparency
and may also be carried out using automated methods for storing, managing and transmitting the data and will take
place by means of instruments that are suitable, as far as reasonably possible and according to the state of the art,
to guarantee security and confidentiality through the use of appropriate procedures that avoid the risk of loss,
unauthorised access, unlawful use and dissemination. Your personal data are subject to both paper and electronic
processing.
All processing is carried out in compliance with the modalities set out in Article 32 GDPR and through the adoption
of appropriate security measures.
Your data will only be processed by personnel expressly authorised by the Controller.
4. Data retention period
The Data Controller shall process the personal data for the time necessary to fulfil the above purposes and in any
case for the performance of the Contract. After the expiry of ten years from the termination of the Contract, the data
shall be destroyed or rendered anonymous.
6In the context of the processing of data carried out in the establishment or execution of the contract with the Data
Controller’s Customer, the data will be retained for ten years after the termination of the relationship with it.
In the event of litigation or settlement agreements or alternative dispute resolutions, the data will be retained for ten
years from the finality of the decision and agreement that settled the dispute.
Video surveillance system recordings are kept for a maximum of 48 hours, after which they are deleted. Specific
exceptions are permitted by specific order of the Judicial or Public Security Authorities.
Where data is acquired in the course of the activities of the Supervisory Board, the data will be retained for ten years
after the termination of the Company.
5. Dissemination and communication
The personal data processed by the Data Controller will not be disseminated, i.e. they will not be disclosed to
unspecified persons, in any possible form, including making them available or simply consulting them. They may,
however, be communicated to the subjects to whom communication is obligatory by law. Your data may also be
communicated, by way of example but not limited to, to:
• Agents, consultants or external figures collaborating with the company;
• Subsidiaries and associated companies;
• Banks and credit institutions;
• Service providers (e.g. IT system providers, cloud service providers, database providers and
consultants) duly appointed as External Data Processors;
• Data Controller Customers.
The updated list of Data Processors is available at the Controller’s registered office and will be provided upon written
request.
In addition, on the basis of the roles and tasks performed, certain workers have been legitimately authorised to
process your personal data, within the limits of their competence and in accordance with the instructions given to
them by the Controller.
6. Data transfer outside the European Union
The management and storage of personal data will take place on servers located within the European Union of the
Data Controller and/or third party companies appointed and duly appointed as Data Processors. The servers are
currently located in Italy. The data will not be transferred outside the European Union. It is in any case understood
that the Data Controller, should it become necessary, shall have the right to move the location of the servers to Italy
and/or the European Union and/or non-EU countries. In this case, the Data Controller assures as of now that the
transfer of data outside the EU will take place in compliance with the conditions set forth in Chapter V GDPR.
7. Rights of the data subject
In your capacity as data subject, you are entitled to exercise your rights under Article 15 et seq. of GDPR 2016/679,
namely:
i) j) k) l) m) n) the right to request from the data controller access to personal data, i.e., confirmation as to whether or
not personal data relating to you are being processed and, if so, to obtain access to those data (Art. 15);
the right to obtain form the data controller to rectify and/or complete inaccurate personal data concerning
you (Art. 16);
right to request the data controller to erase them without undue delay (Art. 17);
right to request from the data controller the restriction of processing concerning him/her (Art. 18);
obtain certification that the operations referred to in letters b), c) and d) have been brought to the attention,
also as regards their content, of those to whom the data have been communicated or disseminated,
except where this proves impossible or involves a manifestly disproportionate effort compared with the
right protected (Art. 19);
the right to data portability, i.e. to obtain in a structured, commonly used and readable format the personal
data concerning you (Art. 20);
7o) right to object to their processing, i.e. to object at any time, on grounds relating to your particular situation,
to the processing of data relating to you (Art. 21);
p) right in relation to automated decision-making processes, i.e. the right not to be subject to a decision
based solely on automated data processing without your explicit consent (Art. 22).
As a data subject, you also have the right to lodge a complaint with the Supervisory Authority (Art. 77), i.e. the right
to refer a matter to the Authority if you consider that the processing concerning you violates the Regulation.
The aforementioned rights may be exercised by sending a registered letter with return receipt to IG Operation and
Maintenance S.p.A., Via Campobello n. 1 – 00071 Pomezia (RM); or an e-mail to: privacy@igomspa.it.
The Data Controller
IG Operation and Maintenance S.p.A.