NOTICE EX ARTT. 13 – 14 REG. UE N. 679/2016
FOR THE PROCESSING OF SUPPLIERS’ PERSONAL DATA

AESSE PROJECTS s.r.l., with registered office in Via Mercadante 51, Cattolica (RN), VAT number: 08294640019 tax code:13179930154 (also as “Company”), in the person of the legal representative pro tempore, as DATA CONTROLLER, informs you pursuant to articles. 13 and 14 of EU Regulation no. 2016/679 (hereinafter “GDPR”) that the data you provide will be processed in the following ways and for the following purposes:

1. Object of the treatment
   The Controller, for the establishment and management of ongoing relationships with you, deals with:
   • your non-particular personal, identification, contact and fiscal data (for example: name, surname, company name, address, telephone, e-mail, bank and payment details, etc.).
2. Purpose of processing and legal basis
   Your personal data is processed:
   1. Without your express consent (art. 6 GDPR) for the following purposes:
      • Fulfill pre-contractual, contractual and tax obligations deriving from existing relationships with you;
      • Fulfill the obligations established by law, by a regulation, by community legislation or by an order from the Authority (for example: issuing invoices);
      • Exercise the rights of the Controller (for example: right of defense in court, etc.).
      • Legitimate interest of the data controller, aimed at ethical social audits on suppliers.
3. Nature of the provision of data and consequences of failure to provide it
   The provision of data for the purposes referred to in point 2.a) is mandatory and does not require consent. In the absence of such data we will not be able to conclude supply agreements with you.
4. Data access
   Your data may be made accessible:
   • To the Controller’s employees and collaborators in their capacity as data processors and/or system administrators;
   • To third-party companies or other subjects (for example: professional firms, consultants, etc.) who carry out outsourced activities on behalf of the Controller, in their capacity as external data controllers.
5. Data communication
   The Controller may communicate your data to the Public Administration, Supervisory Bodies and/or Judicial Authorities as well as to all other subjects to whom communication is mandatory or necessary by law. His data will not be released.
6. Data transfer
   We inform you that we generally try to avoid data transfers outside the European Union. In any case, it is understood that the Controller, if necessary, will have the right to transfer the data to non-EU countries. In this case, the Controller hereby ensures that the transfer of non-EU data will take place in compliance with the applicable legal provisions by stipulating, if necessary, agreements that guarantee an adequate level of protection and/or adopting the standard contractual clauses provided by the Commission. European and/or binding corporate rules.
7. Data retention
   All personal data provided will be processed in compliance with the principles of lawfulness, correctness, relevance and proportionality, only with the methods, including IT and telematics, strictly necessary to pursue the purposes described above.
   Personal data will be kept for 10 (ten) years from the date of the last registration (in accordance with the provisions of art. 2220 of the civil code). Regarding the verification of employee pay slips in the event of social ethical audits, the data is immediately deleted, only the serial number remains. It should be noted that the information systems used to manage the information collected are configured, from the outset, in such a way as to minimize the use of personal data.
8. Rights of the interested party
   Pursuant to articles 15 to 22 of EU Regulation no. 679/2016, the interested party is given the possibility to exercise specific rights. In particular, the interested party has the right to: a) obtain confirmation of the existence of processing of personal data concerning him and, in this case, access to such data; b) obtain the rectification of inaccurate personal data and the integration of incomplete personal data; c) obtain the deletion of personal data concerning him, in cases where this is permitted by the Regulation; d) the limitation of processing, in the cases provided for by the Regulation; e) obtain communication, to the recipients to whom the personal data have been transmitted, of requests for rectification/deletion of personal data and limitation of processing received by the interested party, unless this proves impossible or involves a disproportionate effort; f) receive, in a structured format, commonly used and readable by an automatic device, personal data provided to the Controller, as well as the transmission of the same to another data controller, and this at any time, even upon termination of any relationships maintained with the Controller; g) object at any time, for reasons related to your particular situation, to the processing of personal data concerning you pursuant to Article 6, paragraph 1, letters e) or f), including profiling on the basis of these provisions. If personal data are processed for direct marketing purposes, the interested party has the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling to the extent that it is connected to such direct marketing; h) not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her; i) lodge a complaint with a supervisory authority pursuant to art. 77.
9. Methods of exercising rights
   You may exercise your rights at any time by contacting the Controller at the following e-mail address: privacy@aesseprojects.com
10. External processors and authorized individuals
    The updated list of external data processors and authorized individuals is kept at the registered office of the Data Controller.
11. Right to lodge a complaint with the guarantor authority
    If you believe that the processing violates your rights in some way, you can lodge a complaint with the Guarantor Authority for the protection of personal data, as required by art. 77 of the GDPR, checking the methods on the website www.garanteprivacy.it.