Privacy notice

Privacy notice

In accordance with article 13 of Regulation (EU) 2016/679 of 27 April 2016 “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC” (General Data Protection Regulation or “GDPR"), FOMAS S.p.A. (hereinafter “FOMAS” or the “Controller”), with registered office in, Milan, Via Vincenzo Gioberti no. 1, 20123, in its capacity as "Data Controller", is required to provide you with certain information about how and why your personal data will be processed.

1.Data source and the legal basis for processing your personal data

As general rule, FOMAS collects data directly from you at the moment of the establishment of the contractual relationship. Such data may be for example: (i) identification and personal data (e.g. name and surname, address, telephone, fax, e-mail, etc.) also of empolyees; (ii) economic and financial data, including bank and payment references.

The legal basis for the processing of your personal data are:

a) a)the contractual relationship between you and FOMAS (article 6, par. 1, lett. b) GDPR)

b) the compliance with legal obligation to which FOMAS is subject (e.g. export controls) (art. 6, par. 1, lett. c) GDPR).

2.Purposes of the data processing

Your personal data are processed by FOMAS for the following purpose:

a) To manage customer relationships (e.g. collect information preparatory to the contract, and optimise the services offered by FOMAS according to customer/supplier preferences, requests, suggested improvements and/or complaints);

b) To comply with laws, regulations, EU or extra-UE rules, or instructions issued by authorities or regulatory bodies;

c) To fulfil all administrative, accounting, welfare and tax activities related to the contractual relationship.

d) To carry out surveys, send questionnaires and any other communication related to the sale/advertising of the products sold or products similar to those already purchased by the interested party.

The provision of personal data for the purposes indicated in points a), b) and c) above is essential and vital to full or partial performance of the contract, and to compliance with statutory obligations; therefore, any refusal to provide such data would make de facto impossible for FOMAS to do those things.

In relation to letter (d), data processing is optional; the data subject may always object to such processing in the way indicated below.

If FOMAS intends to use your personal data for any purpose incompatible with those for which they were originally collected, it will give you prior warning of this.

3.How your personal data will be processed

Your personal data will be processed using manual data processing or computer systems and the logic behind the processing will be strictly linked to the purposes described above. In any event, your personal data will be processed in such a way as to ensure their security and confidentiality.

In processing your personal data, FOMAS undertakes to:

  1. Ensure that they are exact and up-to-date, and to promptly make any corrections and/or additions that you request;
  2. Notify you, in the cases and within the time frames established by law, of any personal data breach;
  3. Ensure that the processing is in compliance with the relevant rules of law.

Moreover, FOMAS handles personal data in full compliance with the principle of fair, lawful and transparent processing. As required by the GDPR, FOMAS designs or, in any event, undertakes to design its information systems and computer programs in such a way as to minimise the use of personal data, excluding their processing when the intended purposes can be achieved using anonymous data or appropriate procedures that enable the individual to be identified only where necessary.

4.Categories of parties to whom your personal data may be disclosed

The personal data that you provide will not be disseminated, or disclosed to unspecified parties in any possible way, even by placing the data at their disposal or simply making them available for consultation. Instead, for the purposes described above, your personal data may be disclosed to clearly specified parties, in full compliance with the rules of law. In particular, these parties fall into the following categories:

  • Employees and collaborators of the Data Controller as authorized data processing personnel;
  • Private or public authorities, both domestic and foreign, if they lawfully request the data;
  • Administrative / accounting and legal consultants;
  • other companies belonging to the FOMAS Group.

Parties falling into the above categories fulfil the function of "Data Processor" or operate as totally autonomous and separate "Data Controllers".

5.Data transfers outside the UE

Personal data will be stored and processed within the European Union. In the event of any transfer of personal data outside the European Union, FOMAS will adopt adequate safeguards, in compliance with GDPR. In some cases, it will be necessary to transfer your personal data outside the European Union, in which case FOMAS will implement appropriate protection measures under the GDPR. In particular, FOMAS has adopted standard contractual clauses with its subsidiaries in accordance with Articles 44-46 GDPR.

6.Storage period

FOMAS maintains in its systems the personal data acquired for a period of time not exceeding the achievement of the purposes for which they are processed or to comply with specific regulatory or contractual obligations, including those imposed by the provisions in force in civil and tax matters.

In any case it is understood that your data will be kept by FOMAS for a period not exceeding 10 (ten) years from the date of termination of the relationship with FOMAS.

7.Your rights
We inform you that, in accordance with articles 15-22 of GDPR, you may exercise certain rights by applying to the Data Controller. These include:

a) Right of access: the right to obtain confirmation from the Data Controller as to whether or not your personal data are being processed and, where that is the case, the right to obtain access to your personal data and to further information about their source, the purposes of the processing, the category of data being processed, the parties to whom the data will be disclosed and/or transferred, etc.

b) Right to rectification: the right to obtain from the Data Controller, without undue delay, the rectification of any inaccurate personal data and the completion of any incomplete personal data, even by providing a supplementary statement.

c)Right to be forgotten: the right to obtain from the Data Controller, without undue delay, the erasure of your personal data if:

  • Your personal data are no longer necessary in relation to the purposes of the processing;
  • You withdraw your consent to the processing and there is no other legal ground for the processing;
  • Your personal data have been unlawfully processed;
  • Your personal data have to be erased in order to comply with a legal obligation.

d) Right to object to processing: the right to object at any time to data processing whose legal basis is a legitimate interest of the Data Controller.

e) Right to restriction of processing: the right to obtain from the Data Controller the restriction of processing if you contest the accuracy of the personal data (restriction for a period enabling the controller to verify the accuracy of the personal data) or if the processing is unlawful and/or if you have objected to the processing.

f) Right to data portability: the right to receive your personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another data
controller, but only in cases where the processing is based on consent and carried out by automated means.

g) Right to lodge a complaint with a supervisory authority: without prejudice to your right to initiate other administrative or judicial proceedings, if you believe that the processing is in breach of data protection rules, you are entitled to lodge a complaint with the supervisory authority of the Member State in which you habitually reside or work, or the Member State in which the purported breach has occurred.

8.Contact details

Should you wish to obtain further information about the processing of your personal data, or to exercise the rights explained above, please contact FOMAS S.p.A. at the following e-mail address: privacy@fomasgroup.com.