Privacy Notice to providers, suppliers and business partners
Privacy notice under Articles 13 and 14 of Regulation (EU) 2016/679 (“Regulation”) on the Processing of Personal Data of Suppliers and Data Subjects
For the purposes of this document, the following definitions shall apply:
- Supplier: the natural or legal person with whom or which the Menarini Group Companies currently have a contractual or pre-contractual relationship (customers, suppliers, partners, etc.);
- Data Subjects: employees, associate workers, and natural persons who either act in the name and on behalf of the Counterparty to the Contract or in any case interact with the Menarini Group Companies for reasons connected with the negotiation, execution and performance of the contractual or pre-contractual relationship.
1. Data Controller and DPO
The personal data concerning Suppliers and Data Subjects will be processed by the Menarini Group Company with which the Supplier has entered into the contractual/pre-contractual relationship, which will act as the Data Controller (“Data Controller”).
The Data Controller can be contacted at the address of its registered office, as indicated on the respective website and in the contractual documentation. The Data Protection Officer (“Data Protection Officer” or “DPO”) can be contacted at the following e-mail address: dpo “at” menarini “dot”com (please replace “at” with “@” and “dot” with “.”)
2. Types of data to be processed
The Data Controller will process the personal data:
- of the Supplier, if it is a natural person: identifying data (name, surname, etc.), contact details, tax and banking data; if presentations are delivered via teleconference, and these are recorded, audio-visual recordings will also be collected
- of Data Subjects: only data collected in relation to the existing contractual/pre-contractual relationship and which are necessary for the negotiation, execution and performance thereof, such as identifying data and contact data for business use (e.g. mobile phone number, e-mail address, other contact details as contact person of the contractual relationship); if presentations are delivered via teleconference, and these are recorded, audio-visual recordings will also be processed
Processing will be carried out on the data provided directly by the Data Subjects or by the Supplier.
In addition, in case the Data Subject/Supplier is assigned an electronic account by the Data Controller (e.g., an email account), data concerning access and activity logs will also be collected, in order to protect the security of company IT assets, in particular from cyber-threats. The Data Controller may provide additional information regarding the personal data processing activities and the rules for usage of such accounts by means of separate documents/policies, made available to the Suppliers/Data Subjects to whom the account is assigned.
3. Purpose, legal basis and optionality of the processing
Personal data will only be processed for purposes related to the assessment, negotiation, execution and performance of the contractual or pre-contractual relationship, (including due diligence assessment), to fulfil specific legal obligations, to ensure that Suppliers meet Menarini ethical standards or to defend a right in court.
The legal bases for the abovementioned purposes are respectively Articles 6(1)(b), 6(1)(c) and 6(1)(f) of the Regulation.
The provision of personal data for the purposes indicated above is optional. However, if personal data are not provided, it will not be possible to establish a contractual or pre-contractual relationship with the Data Controller.
4. Recipients and transfer of personal data
Personal data may only be accessible to the staff of the Data Controller duly authorised to process them, and especially to the staff of the administration bodies and other persons who need to process them in the performance of their duties. The Data may be transferred, also in non-EU countries (“Third Countries”), to: (i) institutions, authorities, public bodies for their institutional purposes; (ii) third parties and providers used by the Data Controller for the provision of services necessary to pursuit the above purposes; (iii) third parties in the event of mergers, acquisitions, sale of a business or business unit, audits or other extraordinary operations; (iv) the corporate bodies and companies of the Menarini Group – domiciled at the Data Controller’s offices – responsible for the pursuit of supervisory activities and the application of the Code of Conduct of the Menarini Group; and (v) other Menarini Group Companies for the same purposes as indicated above and/or for administrative and accounting purposes, in accordance with Article 6(1)(f) and Recitals 47 and 48 of the Regulation.
The persons receiving the Data shall process them as Data Controllers, Data Processors or authorised processors for the purposes indicated above and in compliance with the applicable law on personal data.
With regard to the possible transfer of Data to Third Countries, the Data Controller represents that the processing will be carried out in accordance with one of the methods permitted by applicable law, such as, without limitation, the consent of the Data Subject, the adoption of Standard Contractual Clauses approved by the European Commission, the selection of subjects participating in international programmes for the free movement of data or operating in countries considered safe by the European Commission.
5. Retention of personal data
Personal Data will be kept only for the time necessary for the purposes for which they were collected, in accordance with the principle of data minimisation referred to in Article 5(1)(c) of the Regulation. The Data Controller may store some data even after the termination of the contractual relationship, for the time necessary to fulfil any contractual and legal obligations.
Data subjects may obtain from the Data Controller, at any time, access to personal data; rectification or erasure of personal data; restriction of the processing and portability in the cases provided for by the Regulation. Data subjects may object to the processing of personal data pursuant to Article 21 of the Regulation. Requests must be addressed in writing to the Data Controller or to the DPO at the contact details indicated above. Data subjects may lodge a complaint with the competent supervisory authority pursuant to Article 77 of the GDPR, if they believe that the processing of their data infringes the legislation in force.