Supplier Privacy Notice

PRIVACY NOTICE PURSUANT TO ART. 13 OF REGULATION (EU) 2016/679 (GDPR) FOR SUPPLIERS

Dear Data Subject (Supplier),
with this document, Industree Hub s.r.l. provides you with information on the characteristics and methods of processing your personal data.
This is done in accordance with the provisions of the GDPR and the Italian Privacy Code currently in force.

Any processing of your personal data will be carried out in compliance with the principles of lawfulness, fairness, and transparency.

 

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER

The Data Controller, hereinafter also referred to as the “Data Controller”, is Industree Hub s.r.l., represented by its legal representative pro tempore.
VAT No. 02909990356.
Registered office: Via Benedetto Croce no. 15, 42123 Reggio Emilia, Italy.

The Data Controller may be contacted at the registered office indicated above or via the following channels:
Phone: +39 0522 325270
Email: privacy@industree.it
Certified email (PEC): industreehub@pec.industree.it

 

2. DATA PROTECTION OFFICER (DPO)

The Data Controller has appointed Piramis S.r.l. as Data Protection Officer.
Contact details:
Email: dpo@easygdpr.it
Phone: +39 030 9658901

 

3. TYPES OF PERSONAL DATA PROCESSED

The Data Controller collects and processes personal data that can directly or indirectly identify you, including, by way of example:

  • personal identification, contact, and identification data (including, but not limited to, first name, last name, date of birth, residence or domicile, phone number, email address, etc.);

  • banking details, for the purchase of products and related invoicing.

  • [If the supplier is a company] [personal identification and contact details relating to the supplier’s employees and or collaborators, where appointed as contacts. These data are necessary for the proper management of the ongoing relationship. Where required, this also includes data relating to the legal representative of the supplier as a legal entity].

The provision of the requested personal data is necessary in order to comply with legal and contractual obligations.
Any refusal to provide such data, in whole or in part, may result in the impossibility for the Data Controller to perform the contract and comply with its legal obligations.

 

4. METHODS OF DATA PROCESSING

Personal data will be processed using both manual and electronic tools.
These include, by way of example, corporate IT devices, internet and intranet networks, management software, corporate email systems, and access control systems.

Processing will be carried out using methods and tools suitable to ensure the highest level of security.
It will comply with the principles of fairness, lawfulness, transparency, and necessity, while safeguarding data confidentiality.

Personal data will not be subject to any automated decision-making process.

 

5. PURPOSES, LEGAL BASIS, AND DATA RETENTION PERIOD

Purpose of processing: Management of the pre-contractual and contractual relationship
Categories of data processed: Personal identification data, contact details, contract-related data, and data relating to the requested service
Retention period: For the entire duration of the contractual relationship and until its full performance
Legal basis: Performance of a contract to which the data subject is a party or pre-contractual measures (Art. 6, para. 1, letter b, GDPR)

Purpose of processing: Compliance with legal obligations (administrative, accounting, and tax-related)
Categories of data processed: Personal identification data, contact details, invoicing data, payment data, and any other data contained in accounting records
Retention period: 10 years from the date of the last accounting entry, pursuant to Art. 2220 of the Italian Civil Code on the retention of accounting records
Legal basis: Compliance with a legal obligation (Art. 6, para. 1, letter c, GDPR)

Purpose of processing: Protection of rights in judicial proceedings
Categories of data processed: Data strictly necessary to establish, exercise, or defend a legal claim
Retention period: 10 years from the termination of the contractual relationship, corresponding to the ordinary limitation period pursuant to Art. 2946 of the Italian Civil Code.
In the event of litigation, the data will be retained for the entire duration of the proceedings and until the expiry of all appeal deadlines.
Legal basis: Legitimate interest of the Data Controller (Art. 6, para. 1, letter f, GDPR) and the need to defend legal claims, which constitutes an exception to the right to erasure (Art. 17, para. 3, letter e, GDPR).

 

6. SUBJECTS INVOLVED IN DATA PROCESSING. RECIPIENTS OF PERSONAL DATA

Authorized personnel of the Data Controller process personal data in accordance with their respective duties.
Data Processors formally appointed in writing carry out processing activities within the scope of their assigned responsibilities.

Processing is carried out in accordance with the instructions provided by the Data Controller.
Appropriate security measures are adopted to protect the data and ensure confidentiality.

The full list of Data Processors is available upon request.
Personal data may also be disclosed to third parties where this is necessary to achieve the purposes described above.

 

7. TRANSFER OF DATA TO NON-EU COUNTRIES

The collected data will not be transferred by the Data Controller to countries outside the European Economic Area (EEA) or to international organizations.

However, some personal data may be shared with recipients located outside the EEA.
If such a transfer becomes necessary, the Data Controller ensures that it will take place in compliance with applicable regulations.
Appropriate safeguards will be applied, such as adequacy decisions, standard contractual clauses approved by the European Commission, or other lawful transfer mechanisms.

 

8. RIGHTS OF THE DATA SUBJECT

Under Articles 15 to 22 of the GDPR, the data subject is granted specific rights.
These include the right to obtain confirmation as to whether personal data concerning them are being processed, access to such data in an intelligible form, and the right to rectification, erasure, or restriction of processing.

The data subject also has the right to object to processing for legitimate reasons, to withdraw consent at any time where applicable, and to request data portability for data processed on the basis of consent.
The right to request data updates is also included.

The data subject has the right to know the origin of the data, the purposes and methods of processing, the logic applied to processing, and the identification details of the Data Controller and any recipients of the data.

The data subject may also request anonymization, restriction, or blocking of data processed in violation of the law.
In addition, a complaint may be lodged with the Italian Data Protection Authority in relation to unlawful data processing, following the procedures published on the Authority’s website (http://www.garanteprivacy.it/).

Requests to exercise these rights may be addressed to the Data Controller using the contact details provided above, without formalities.
Alternatively, the standard form made available by the Italian Data Protection Authority may be used and downloaded from the following website:
http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.

The Italian Data Protection Authority is based in Rome, Piazza Venezia no. 11, Staircase B, 00187 Rome, Italy.
Fax: +39 06 69677 3785
Telephone: +39 06 696771
Email: garante@gpdp.it
Certified email (PEC): protocollo@pec.gpdp.it

 

9. RIGHT TO LODGE A COMPLAINT

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the Italian Data Protection Authority.
This may be done by email at garante@gpdp.it or by post to the Italian Data Protection Authority, Piazza Venezia 11, Staircase B, 00187 Rome, Italy, as provided for in Art. 77 of the Regulation.

You also have the right to seek judicial remedies in accordance with Art. 79 of the Regulation.

 

10. CHANGES TO THIS PRIVACY NOTICE

This privacy notice may be subject to changes over time.
Such changes may result from the entry into force of new regulations, updates and or introduction of new services, or technological developments.

Place and date of last update.

Reggio Emilia
01/10/2025