Privacy policy suppliers and contact persons at supplier companies

In its role of controller of your personal data, pursuant to Regulation (EU) 2016/679, hereinafter ‘GDPR’, GRUPPO ROMANI S.P.A. hereby informs you that, in compliance with the Regulation, data processing must be based on principles of fairness, lawfulness, transparency and protection of your confidentiality and your rights.

Your personal data will be processed in compliance with the legislative prescriptions of the aforementioned regulation and the confidentiality obligations it contains.

Aims and legal grounds of data processing: in particular, your data will be processed for the following aims connected with the fulfilment of legal obligations:

• mandatory legal requirements concerning taxation and accounts;

• obligations imposed by statutory legislation.

Your data will also be used for the following aims related to the execution of measures connected to contractual or pre-contractual obligations:

• management of suppliers;

• management of the contract of suppliers and the compliance activities connected thereto, including pre-contractual activities; scheduling of activities;

• supply orders history.

In relation to the aims indicated above, if you are an employee-reference person of the supplier-legal entity your data will be processed due to our need to interact, through you, with the supplier-legal entity in question.

Methods of processing. Your personal data can be processed in the following ways:

• outsourcing of processing operations from third parties; processing by means of computers; manual processing by means of hard copy files.

Each processing operation is carried out in compliance with the methods as at articles 6, 32 of the GDPR and by adopting the adequate security measures provided for.

Your data will be processed solely by personnel expressly authorised by the controller and, in particular, by staff in the following categories:

• General Management;

• Purchasing Department;

• Administration Department.

Disclosure: Your data may be disclosed to external parties for correct management of the relationship and in particular to the following categories of recipients who act in the role of duly appointed controllers or processors:

• banks and lenders;

• consultants and freelancers, also in associated form;

• in the context of public and/or private recipients for whom disclosure of the data is required or necessary in compliance with legal obligations or is anyway functional for administration of the relationship;

• service providers that supply hardware and software assistance and cloud services;

• service providers for electronic billing management;

• shippers, hauliers, independent truckers, postal services, logistics companies.

Distribution: Your personal data will not be disseminated under any circumstances.

Your personal data can also be transferred, limited to the above indicated aims, to the following countries:

• EU member states.

Period of Retention. In compliance with the principles of fairness, limitation of aims, and minimisation of data, pursuant to article 5 of the GDPR, the period of retention of your personal data is:

• established for a period of time no greater than the time required to achieve the aims for which they were collected and processed for the execution and fulfilment of the contractual aims;

• established for a period of time no greater than the time required to achieve the aims for which they were collected and in compliance with the mandatory times prescribed by law.

Controller: in accordance with the law the controller is GRUPPO ROMANI SPA (via A. Volta 9 – 23/25, 42013 Casalgrande (RE), Italy; VAT number: 03028130361; contactable at: 39-0522-998411/911 e-mail: info@grupporomanispa.it; Telephone: +390522998411) in the person of its pro tempora legal representative.

The data protection officer (DPO) appointed by the controller pursuant to article 37 of the GDPR is:

• Name of the DPO available by writing to dpo@grupporomanispa.it (address: c/o the company headquarters).

You have the right to request the data protection officer for erasure (right to be forgotten), restriction of processing, updating, rectification, portability, to object to processing of your personal data, and more in general, to exercise all the rights provided by articles 15, 16, 17, 18, 19, 20, 21, 22 of the GDPR.

1. The data subject has the right to receive confirmation regarding the existence of personal data concerning him or her, even if not yet subscribed, and to receive a copy of such data in intelligible form. The data subject also has the right to lodge a complaint with the Supervisory authority.

2.The data subject has the right to be informed of:

a. the source from which the personal data originate;

b. the aims and methods of processing;

c. the logic applied in the case of data processing performed with the aid of electronic equipment;

d. the name and contact details of the controller, of the processors, and of the controller’s representative pursuant to article 5, subsection 2;

e. the recipients or categories of recipients to whom the personal data may be disclosed or who may become informed of the personal data in their role of designated representative in the Member State, and of processors or persons authorised to process personal data.

3. The data subject has the right to obtain:

a. updating, rectification and, taking into account the purposes of processing, completion of incomplete personal data concerning him or her;

b. erasure, transformation into anonymous form or blocking of data processed in violation of the law, including data whose retention is not required for the aims for which the data were collected or subsequently processed;

c. an attestation that the operations as at letters a) and b) have been brought to the attention, also with regard to their contents, of the parties to whom the data were disclosed or disseminated, except for cases in which compliance with this requirement is not possible or would require the use of manifestly disproportionate resources with respect to the protected right;

d. data portability.

4. The data subject has the right to object, entirely or partly:

a. for legitimate grounds, to the processing of personal data concerning him or her, even if relevant to the aim of data collection;

b. to the processing of personal data concerning him or her for transmission of advertising or direct sales material, for market surveys or for commercial communications.