INTRODUCTION

This General Privacy Policy for Suppliers refers exclusively to the processing of personal data managed by Legur Srl, as Data Controller, for the purpose of executing contracts with Suppliers, as well as for business development and marketing purposes.

With reference to any processing of personal data carried out by Suppliers on behalf of Legur Srl, acting as Data Processor, please refer to the agreements between the Data Controller and the Data Processor signed by the parties.

GENERAL SUPPLIER PRIVACY NOTICE – REGARDING THE PROCESSING OF PERSONAL DATA PURSUANT TO ARTICLES 13 AND 14 OF REGULATION (EU) 2016/679 (“GDPR”)

1. Data Controller and Data Processors
The Data Controller is Legur S.R.L., with registered office at Via Orzinuovi 73, 25125 Brescia, Italy, Tax Code and VAT No. 03559600170. Legur Srl has appointed a Data Protection Officer (DPO) who can be contacted for any request at the email address: dpo@legur.it.
The updated list of Data Processors is kept at the registered office of the Data Controller.

2. Subject of Processing – Categories of Personal Data Processed
The Data Controller processes personal data relating to you or your staff members, consisting of common identification and business contact data (such as name, surname, address, phone number, email, and for suppliers who are individuals, also bank details, company name, etc.), communicated by you during the negotiation and/or conclusion of contracts as Suppliers or during the contractual relationship. The Supplier receiving this notice undertakes to provide it to any staff members whose data are processed by the Controller.

The Controller may also process your personal data or those of your staff members acquired from third-party Data Controllers (e.g., trade fair organizations) who have obtained lawful consent for transfer for commercial contact purposes.

3. Purposes and Legal Bases of Processing

3.1 Contractual and Pre-contractual Purposes
Legal bases:

• 3.1.1 processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request
• 3.1.2 processing is necessary for compliance with legal obligations provided by law, regulations, EU legislation, or orders from Authorities
• 3.1.3 processing is necessary to pursue the legitimate interest of the Controller in legal defense

3.2 Business Development and Marketing Purposes: to send you (by email) commercial or marketing communications relating to the Controller’s products or services.
Legal basis:

• 3.2.1 your explicit and specific consent

4. Processing Methods and Data Retention
Your personal data may be processed through the operations indicated in Art. 4(2) GDPR: collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, erasure, and destruction of data. Data may be processed in both paper and electronic form.

The Controller will process personal data for the time necessary to fulfill contractual purposes and in any case no longer than 10 years after termination of the contractual relationship. For marketing purposes, data will be processed only for the time strictly necessary or until consent is withdrawn. In the event of withdrawal or removal from the mailing list, data will be deactivated from marketing databases. Data contained in previous communications will be retained for no longer than 24 months unless anonymized.

5. Access to Data
Your data may be made accessible for the purposes referred to in Art. 3:

• to employees and collaborators of the Controller as authorized personnel and/or system administrators
• to third-party companies or other entities (professional firms, consultants, insurance companies, banks, etc.) carrying out activities on behalf of the Controller, acting as independent Controllers or appointed Data Processors

6. Communication of Data
Pursuant to Art. 6(b) and (c) GDPR, the Controller may communicate your data to judicial authorities or entities to whom communication is required by law. Such entities will process the data as independent Data Controllers.
Your data will not be subject to public disclosure.

7. Data Transfers
Personal data may be transferred both within EU countries and to non-EU countries for archiving and storage needs, in compliance with applicable legal provisions.

8. Nature of Data Provision
Providing data for contractual purposes is mandatory. Failure to provide such data will make it impossible to perform the contract.
Providing data for marketing purposes is optional; in case of refusal, you will not receive commercial communications.

9. Data Subject Rights
By contacting privacy@legur.it, each data subject may exercise the rights provided by Art. 15 GDPR:

• confirmation of the existence of personal data and access to such data
• information on origin, purposes, methods of processing, and recipients involved
• updating, rectification, integration, erasure, or blocking of unlawfully processed data
• objection to processing for legitimate reasons or for marketing purposes
• exercise of rights under Arts. 16–21 GDPR and lodging a complaint with the Supervisory Authority
• possible compensation for damage pursuant to Art. 82 GDPR

Ref. GUL_INFO05 dated 16/02/2021