Suppliers Privacy Policy

Pursuant to and in accordance with Regulation EU 2016/679 of 27 April 2016 (hereinafter “GDPR”), GEMAR S.r.l. (hereinafter “Company”), with registered office in Casalvieri (FR) – Via Colle Marracone, as
the “Controller” of processing, would like to inform you that, in implementation of the obligations deriving from the Privacy Regulation, it is required to provide you with certain information on the
methods and purposes of processing your personal data, including sensitive data, which may enter into the Controller’s possession.

Source of personal data and legal basis of processing

The personal data possessed by the Company is collected directly from suppliers when contractual relationships are commenced, or from third parties, such as when the Company acquires your data from other suppliers, distributors and/or
partners with whom you have already come into contact. The data acquired will be processed in compliance with the GDPR, and also according to the principles of confidentiality, related to the performance of the activity, which the Company has
always upheld.
Personal data processing is based on the pre-contractual or contractual relationship between the Parties.

Purposes of processing of the data

Personal data is processed as part of normal Company activities for the following purposes:

  1. purposes strictly linked with and instrumental to management of relations with suppliers;
  2. purposes deriving from laws, regulations, EU regulations, measures passed by the competent authorities according to law or by supervisory and control bodies;

Although it is not obligatory for the data subject to provide the data needed to pursue the purposes of points a) and b) above, this is essential and indispensable for the total or partial management of relations with suppliers and also for
the fulfilment of legal obligations; refusal to provide said data will therefore make it impossible for the Company to carry out said activities.

If the Company intends to use the personal data collected for another purpose incompatible with the purposes for which the personal data was originally collected or authorised, the Company will inform you beforehand, and you may deny or
provide your consent.

Data processing methods

In relation to the above purposes, the personal data is processed using manual, IT and ICT tools which store, manage and transmit the data, solely for the purposes for which it has been collected and, in any case, in a manner to guarantee its
security and confidentiality.

In performance of processing activities, the Company undertakes to:

  1. ensure that the data processed is precise and up-to-date, and immediately to incorporate any corrections and/or supplements requested by the data subject;
  2. inform the data subject of any personal data breaches, in the times and in the cases contemplated by current regulations;
  3. guarantee that processing operations comply with applicable laws.

The Company also processes the personal data acquired in accordance with principles of propriety, lawfulness and transparency. In accordance with the GDPR, the Company configures or, in any case, undertakes to configure the information
systems and computer programs to reduce use of the personal data to a minimum, in order to exclude its processing when the purposes pursued could be achieved, respectively, through the use of anonymous data or appropriate methods which allow the
data subject to be identified only if the need arises.

Categories of parties to whom the data may be disclosed

In order to pursue the above purposes, the Company, after obtaining your consent and adopting appropriate guarantees, may disclose your personal data to third parties, also located outside the territory of the State, including third countries
not belonging to the European Union.

These parties are in the following categories:

  • parties which perform distribution activities for the Company and also partners of the Company;

Your personal data may also be provided to the judicial authorities and/or law enforcement agencies, on their specific request, for purposes of identification of the authors of any illegal acts committed against the Company.
The parties in the above categories may be appointed as processors or may operate totally independently as separate Controllers. Further information on communication of the data to the above parties and on the methods for obtaining copies of the
data may be requested at:

At the Company itself, only employees and collaborators, including external collaborators appointed to process it, will learn your personal data.

Personal data storage policy

The Company stores the personal data acquired in its systems in a form which allows identification of the data subjects only for the period of time it takes to achieve the purposes for which it has been processed or to satisfy specific
regulatory or contractual obligations and, in any case, it is specified that your personal data will be stored for the entire duration of the contractual relationship and also for 10 years after the relationship terminates.

Rights of the data subject

We also inform you that, pursuant to the GDPR and, in particular, arts. 15–22 of Regulation EU 2016/679, the data subject may exercise specific rights by contacting the Controller, including:

  1. Right of access: right to obtain from the Controller confirmation of whether or not processing of the personal data is taking place and, in that case, to obtain access to the personal data and to further information on the origin,
    purposes, categories of data processed, the recipients and/or transfer of the data, etc.
  2. Right of rectification: right to obtain from the Controller the correction of imprecise personal data without unjustified delay, and also supplementing of incomplete personal data, also providing a supplementary declaration.
  3. Right of erasure: the right to obtain from the Controller the erasure of the personal data without unjustified delay, if:
    1. the personal data is no longer necessary for the purposes of processing;
    2. the consent on which processing was based has been withdrawn and no other legal basis for processing exists;
    3. the personal data has been processed illegally;
    4. the personal data must be erased to satisfy a legal obligation.
  4. Right to object to processing: the right to object at any time to processing of personal data for which the legal basis is a legitimate interest of the Controller.
  5. Right to limit processing: the right to obtain from the Controller limitation of processing, in cases in which the preciseness of the personal data is disputed (for the period necessary to the data processor to check preciseness of said
    personal data), if processing is performed illegally and/or the data subject has objected to processing.
  6. Right to data portability: the right to receive the personal data in a structured, commonly used and machine-readable format and to transmit said data to another controller, only in cases in which processing is based on consent and solely
    data processed using electronic instruments.
  7. Right to submit complaints to a supervisory authority: without prejudice to any other administrative or jurisdictional recourse, a data subject who believes that processing of his/her data breaches the Privacy Regulation is entitled to
    submit a complaint to the supervisory authority of the Member State in which they reside or habitually work, or the State in which the alleged breach has occurred.

If processing is based on consent, the data subject may withdraw any consent given at any moment, but the processing performed up until that moment remains lawful.

A data subject wishing to obtain further information on processing of his/her data, or to exercise the right indicated here above, may send a registered letter with acknowledgement of receipt to GEMAR SRL, domiciled for these functions at the
registered office in Casalvieri (FR)- Via Colle Marracone. Further information may be requested sending an email to .