Complete privacy policy for Suppliers

Engraving solutions

Who are we and what do we do with your personal data?


The company Engraving Solutions S.r.l. with its registered office in 55100, Lucca (LU), Via di Mugnano,
815, (hereinafter also the "Data Controller"), as Data Controller will see to the confidentiality of your
personal data and guarantee its necessary protection from any event that could put it at a risk of
violation.
The Data Controller applies policies and practices concerning the collection and use of personal data
and the exercise of the rights recognized by the applicable legislation. The Data Controller is responsible
for updating the policies and practices adopted for the protection of personal data whenever it
becomes necessary and in any case whenever regulatory and organizational changes that may affect
the processing of your personal data arise.
The Data Controller has appointed a Data Protection Officer (DPO) that you can contact if you have
questions about the policies and practices adopted.
The contact details of the Data Protection Officer are as follows:
DPO@engravingsolutions.it.


How does the Data Controller collect and process your data?


The Data Controller collects and/or receives information about you, such as

  • name, surname
  • fiscal code
  • e-mail
  • phone number
  • address
  • VAT number
  • Bank account number
  • images/video

  • The personal data will be processed for the following purposes:


1) the management of supply contractual relationship and the fulfilment of any other obligations including regulatory obligations, arising therefrom

Purpose Legal basis
-the management of the contractual relationship
in all its phases; from the negotiations to its
definition, whatever the cause is
-monitoring and updating the conditions of
supply and/or services and assignments
-registration, invoicing and bookkeeping
Execution of pre-contractual and contractual
activities
Fulfilment of legal obligations and contractual
obligations besides obligation deriving from the
relationship established, such as, among others,
those arising from:
- Presidential Decree no. 633/1972 and
subsequent amendments and integrations
- Presidential Decree no. 600/1972 and
subsequent amendments and integrations
- Code of Ethics of the Data Controller
Fulfilment of economic, financial and social
reporting obligations

 

Your personal data is also collected from third parties such as, by way of example:
-other data controllers
-IT service provider.


2) for the communication to third parties and the dissemination

Purpose Legal basis
Communication to third parties, such as;
-Companies of the Group for administrative
purposes
-Tax advisers and accountants
-Couriers
-Credit institutions for the management of
payments
-Lawyer for the management of litigation and
contracts
-Public and private bodies
-IT consultants
Fulfilment of obligations depending on the
contract
Fulfilment of legal obligations, such as, among
others, depending on:
- Presidential Decree no. 633/1972 and
subsequent amendments and integrations
- Presidential Decree no. 600/1972
Observance of transparency and economic and
social reporting obligations

The Data Controller may transfer your personal data abroad (non-EU countries) and in particular:
China, Brazil, USA (Sister Companies) - Standard contractual clauses aimed at ensuring adequate
safeguards, including data subjects' rights with regard to the transfer of personal data outside the EU.
Japan (Sister Company) – Adequacy decision EU-Japan.
The communication and dissemination concern the categories of data whose transmission and/or
disclosure are necessary for the performance of the activities and purposes pursued by the Data
Controller in the management of the relationship established. The relative data processing does not
require the consent of the data subject in the event that it takes place against legal obligations or to
fulfil the obligations deriving from the contractual relationship or if other exclusion hypotheses occur (in
particular application of the provisions of the Code of Ethics and/or legitimate interest of the Data
Controller) expressly provided for or dependent on the legislation and regulations applied by the Data
Controller, or even through third parties identified as data processors.


3) for information security activities

Purpose Legal basis
-implementation of the detection and notification
of personal data violation (data breach)
Execution of activities depending on the
established relationship
Fulfilment of legal obligations (detection and
notification of data breach events)
Legitimate interest

 

How, where and for how long is your data stored?
How
The data processing is performed through paper supports or IT procedures by specially authorized
internal subjects. Such internal subjects are allowed access to your personal data to the extent that it is
necessary to carry out the processing activities that concern you.
The Data Controller periodically verifies the tools through which your data is processed and the security
measures provided for which it requires constant updating; verifies, also through the subjects authorized
to the treatment, that personal data of which the processing is not necessary or whose purposes are

exhausted, is not collected, processed, filed or stored; verifies that the data is stored with the guarantee
of integrity and authenticity and their use for the purposes of the treatments actually performed.
The Data Controller guarantees that the data, even after the verifications, are found to be excessive or
irrelevant will not be used except for the possible retention, according to the law, of the deed or
document that contains them.
Where
The data is stored in paper, computerized and software archives located within the European
economic area, and adequate security measures are ensured.
For how long
The personal data processed are kept for the time necessary to carry out the activities related to the
management of the contract that you have stipulated with the Data Controller and for the fulfilments,
including those required by law, arising therefrom.

In particular:

identifying data
accounting data
data relating to professional and
commercial activity
Duration of the contractual relationship
Without prejudice to:
-termination of the contract (for any reason)
-the purposes that continue beyond the conclusion of the
contract (e.g. bookkeeping, art. 2220 of the Italian Civil Code)
-the prescription terms: from five to ten years from the definition
of the relationship and in any case from the moment in which
the rights that depend on it can be exercised (articles 2935,
2946 and 2947 of the Italian Civil Code)
-for particular after-sales needs related to the average life of
the product up to twenty years after the termination of the
relationship
Except in the event of litigation if it involves an extension of the
aforementioned terms, for the time necessary to pursue the
related purpose.
Computer data (access log to
systems and to the network and / or
IP addresses)
The duration of the storage depends on the presumed and / or
detected risk and the prejudicial consequences that derive
from it, without prejudice to the measures to make the data
anonymous or to limit its treatment.
In any case, the data must be kept (with effect from the
knowledge / detection of the hazard event or data breach)
for the time necessary to notify the authority of the violation of
the data detected through the procedures implemented by
the Data Controller and in any case take remedial actions.

Controller will take care of deleting them or making them anonymous.
What are your rights?
The rights that are recognized to you allow you to always have control of your data. Your rights are the
following:

  •  access;
  • correction;
  • cancellation;
  • treatment limitation;
  • opposition to treatment;
  • portability.

 

In substance, you, at any time and free of charge and without special charges and formalities for your
request, can:

  • obtain confirmation of the processing carried out by the Data Controller;
  • access your personal data and know the origin (when the data are not obtained from you directly),
    the purposes and the scopes of the processing, the data of the subjects to whom they may be
    disclosed, the period of retention of your data or the criteria useful for determining it;
  • update or rectify your personal data so that they are always accurate and correct;
  • delete your personal data from the data banks and / or the archives including backups of the Data
    Controller in the case, among others, where they are no longer necessary for the purposes of the
    processing or if it is assumed to be illicit, and always if they exist the conditions required by law; and
    in any case if the treatment is not justified by another equally legitimate reason;
  • limit the processing of your personal data in certain circumstances, for example where it has
    disputed its accuracy for the period necessary for the Data Controller to verify its accuracy. You
    must be informed, in due time, even when the suspension period has been completed or the reason
    for the limitation of the processing has ceased, and therefore the limitation itself revoked;
  • obtain your personal data, if the processing is based on a contract and with automated tools, in
    electronic format also for the purpose of transmitting them to another data controller.

The Data Controller must proceed in this way without delay and, in any case, at the latest within one
month from receiving your request. The deadline can be extended by two months, if necessary, taking
into account the complexity and the number of requests received. In such cases the Data Controller,
within a month of receiving your request, must inform you and inform you of the reasons for the
extension.
For any further information and in any case to send your request, contact the Data Controller at
privacy@engravingsolutions.it.


How and when can you oppose the processing of your personal data?


For reasons related to your particular situation, you can oppose the processing of your personal data at
any time when this takes place for legitimate interest, sending your request to the Data Controller at the
address privacy@engravingsolutions.it.
You have the right to the deletion of your personal data if there is no legitimate prevailing reason with
respect to the one that gave rise to your request.
Who can you lodge a complaint with?
Without prejudice to any other administrative or judicial action, you may file a complaint with the
control authority, unless you reside or work in another Member State. In the latter case, or where the
breach of the data protection legislation occurs in another EU country, the authority to receive and
hear the complaint will be the control authority established therein.
Any update of this privacy policy will be communicated to you promptly and by appropriate means
and you will also be notified before proceeding and in time to give your consent if necessary.