INFORMATION NOTICE ON PERSONAL DATA PROCESSING

Pursuant to Articles 12 and following of EU Regulation 2016/679 (“GDPR” or “Regulation”), and in general in compliance with the transparency principle established by the Regulation itself, the following information is provided regarding the processing of personal data (i.e., any information relating to an identified or identifiable natural person: the “Data Subject”) in connection with relationships with suppliers, including collaborators.

1. DATA CONTROLLER

The data controller is ALLS Consulting soc.cons. a r.l.

2. PURPOSE OF DATA PROCESSING

The processing of personal data is strictly related to managing the pre-contractual and contractual relationship with the supplier, along with the resulting legal obligations, including administrative, accounting, and tax formalities and requirements (e.g., acquisition of preliminary information for contract conclusion; execution of activities based on obligations derived from the concluded contract). Therefore, the processing typically concerns offer verification and, if applicable, contract stipulation, fulfillment of contractual obligations (both for and on behalf of the Data Controller), and the protection of the rights of the contracting parties.

3. TYPES OF DATA PROCESSED, COLLECTION METHODS, AND DATA SUBJECTS

The data processed belong to the category of common data, such as:

• Surname, first name, date and place of birth, residence, identity document details;
• Tax code and/or VAT number and other fiscal data, including the SDI recipient code for electronic invoicing;
• Telephone number/email address/PEC address;
• Data related to the supply of goods or services;
• (If applicable in cases of joint liability, etc.) Data regarding compliance with wage and social security obligations.

Additionally, beyond the supplier’s data, information about individuals related to them (such as administrators, employees, and collaborators) may also be processed, specifically concerning their names and contact details (telephone and email). These data are provided by the supplier or the Data Subject, obtained from public records (such as the Chamber of Commerce or civil registry), or retrieved from relevant authorities concerning necessary compliance verifications.

4. OBLIGATION TO PROVIDE DATA AND LEGAL BASIS FOR PROCESSING

Regarding contractual purposes, there is no obligation to provide data during the pre-contractual phase; however, failure to provide the requested data may prevent the conclusion of the contract. Once the contract is signed, providing additional required data or updating previously provided data becomes mandatory to fulfill legal and contractual obligations. Failure to provide such data, in whole or in part, may result in the inability of the Data Controller to execute the contract and may constitute a contractual breach or legal violation (if the data are required for regulatory compliance or by authorities, as indicated at the time of the data request).

The legal basis for processing is that it is necessary:

• For the execution of a contract to which the Data Subject is a party or for pre-contractual measures taken at their request;
• For compliance with a legal obligation to which the Data Controller is subject.

The legal basis for protecting rights is the legitimate interest of the Data Controller.

5. PROCESSING METHODS AND DATA RETENTION

Processing will be carried out:

• Using manual and automated systems;
• By individuals or categories of authorized personnel performing relevant tasks;
• With adequate measures to ensure data confidentiality and prevent unauthorized third-party access.

Data will be retained for the duration of the contractual relationship and, after its termination—limited to the data still necessary—to fulfill contractual obligations, comply with legal requirements, and address contractual protection needs. Typically, data will be deleted 10 years after the end of the contractual relationship. If an offer is not accepted, the data will be deleted as soon as it is confirmed that the contractual relationship will not be established.

No automated decision-making processes are applied.

6. DATA DISCLOSURE

The collected data may be disclosed, exclusively for the purposes specified above, to:

• Entities entitled to access such data by legal provisions;
• Employees, collaborators, and suppliers of the Data Controller, within the scope of their duties and/or contractual obligations related to executing the contractual relationship with the Data Subject (e.g., banks, insurance companies, legal consultants, software providers, and IT assistance services);
• Financial authorities and other entities requiring mandatory communications.

Data will not be subject to dissemination.

7. DATA PROCESSING LOCATION

Personal data is processed within the European Union. There is no intention to transfer data outside the EU or to an international organization.

8. DATA SUBJECT’S RIGHTS

The GDPR grants the Data Subject the following rights concerning their personal data (a summary is provided below; for a full description, including any limitations, refer to the Regulation, particularly Articles 15-22):

• Access to personal data (the Data Subject has the right to receive free information regarding their data held by the Data Controller and its processing, as well as to obtain a copy in an accessible format);
• Rectification of personal data (upon the Data Subject’s request, incorrect or outdated personal data must be corrected or updated);
• Erasure of personal data (right to be forgotten) (e.g., data are no longer necessary for the purposes for which they were collected or processed, were unlawfully processed, must be deleted to comply with a legal obligation, the Data Subject has withdrawn consent, or objects to the processing under specific conditions);
• Restriction of processing (in certain cases—contesting data accuracy, unlawful processing with objection to deletion, the necessity of data for legal defense while no longer required for processing, or objection to processing pending verification—the data will be retained but not accessible to the Data Controller except for legal reasons or with the Data Subject’s consent);
• Objection in whole or in part, for reasons related to the Data Subject’s particular situation, to processing based on legitimate interest;
• Data portability (if processing is based on consent or a contract and carried out by automated means, the Data Subject has the right to receive their data in a structured, commonly used, and machine-readable format and transmit them to another Data Controller);
• Withdrawal of consent (if processing is based on consent, the Data Subject can withdraw it at any time without affecting the lawfulness of prior processing);
• Lodging a complaint with the supervisory authority (Data Protection Authority – “Garante Privacy”).

The Italian Data Protection Authority can be contacted through the details provided on its website (www.garanteprivacy.it). Other rights may be exercised by sending a request to the Data Controller’s contact details.

This information notice is updated as of 31/03/2023.