CUSTOMERS AND SUPPLIERS PRIVACY NOTICE

ex art. 13 of the European Regulation no. 679/2016 (“GDPR”)

Categories of data subjects Data Controller
Customers and suppliers “Bologna University Business School” (hereinafter “BBS” or “Data Controller”) Villa Guastavillani, Via degli Scalini 18, Bologna (BO-Italy)
Entry in Reg. Legal Persons at the Prefecture of Bologna No. 729, p. 118 vol. 5. VAT No. 02095311201
Data Protection Officer BBS has appointed its Data Protection Officer, who can be contacted at the following e-mail address: dpo@bbs.unibo.it

 

1. INFORMATION ON THE PROCESSING OPERATIONS PERFORMED

SECT. A

Purposes

Establishing and managing the contractual relationship with BBS.

Legal basis

Performance of a contract or pre-contractual measures – Art. 6.1 b) GDPR.

Personal data collected Data retention period
Personal, contact and bank/IBAN details, e-mail exchanges, fees paid (if applicable), data of company, firm or institution of affiliation.

Required provision: a refusal to provide the above data would result in the inability to guarantee the use of the service or the performance of the contract.

Data processed for administrative purposes are retained for the time necessary to perform the contract.
Data processed for the performance of pre-contractual measures are retained for a period not exceeding 2 years.

 

SECT. B1

Purposes

Management of tax, accounting and administrative requirements required by law.

Legal Basis

Fulfillment of legal obligations – Art. 6.1(c) GDPR.

Personal data collected Data retention period
Personal and fee and billing details (tax regime, bank/IBAN information)

Mandatory provision by law:

Data processed for the management of tax, accounting, and administrative requirements required by law are retained for the period stipulated by law: the period for retaining accounting records is 10 years, as stipulated in Article 2220 of the Italian Civil Code.

 

SECT. B2

Purposes

Transparency and corruption prevention.

Legal Basis

Fulfillment of legal obligations – Art. 6.1(c) GDPR.

Personal data collected Data retention period
In cases where transparency and corruption prevention obligations apply (see Legislative Decree No. 33, March 14, 2013, as amended and supplemented): personal and contact data, data on the firm or entity of affiliation, the assignment, if any, and on the compensation received.

Mandatory provision by law:

Data published for purposes of transparency and prevention of corruption are obscured once the purposes for which the personal data were made public have been achieved. Notwithstanding this principle, as a general rule, pursuant to Legislative Decree No. 33, March 14, 2013, as amended and supplemented, they are retained online for 5 years, with the following exceptions: (a) acts that are still producing their effects at the expiration of five years, must remain published until the production of the effects ceases; (b) data concerning, consultants and collaborators must remain published for the 3 years following the expiration of the assignment; (c) data for which a different deadline is provided for by the regulations.

 

SECT. C

Purposes

To ascertain, exercise or defend the rights of the Data Controller in court.

Legal Basis

Legitimate interest – Article 6.1(f) GDPR.

Personal data collected Data retention period
Personal data collected under the other purposes above. The data used to ascertain, exercise or defend the rights of the Data Controller in judicial proceedings shall be retained for the period of admissibility of the judicial action and, in case of initiation of litigation, for the entire duration of the litigation itself and in any case until the period of admissibility of the appeal actions is exhausted.

 

2. METHODS OF TREATMENT

The processing of personal data is carried out by BBS using paper and computerized methods.

 

3. AUTOMATED DECISION-MAKING ACTIVITIES

BBS excludes the use of any decision-making activity based on automated processing that produces legal effects or similarly significantly affects you pursuant to Article 22 of European Regulation 679/2016.

 

4. FATE OF DATA AT THE END OF THE RETENTION PERIOD

After the above retention periods have elapsed, the Data will be destroyed, erased or anonymized, consistent with technical erasure and backup procedures.

 

5. DATA PROCESSORS. THIRD PARTY RECIPIENTS OF DATA

The entities or categories of entities that are designated as data processors pursuant to Article 28 of the aforementioned European Regulation No. 679/2016 and may therefore process and become aware of the data you provide are the entities or categories of entities that BBS uses:

a) to manage contractual relations with customers and suppliers and more generally, with third parties, including for accounting and administrative purposes, including legal defense;

b) to manage communications, including commercial communications;

c) to manage its archives, including in a computerized manner.

The data may also be transmitted to the judicial authorities and other public entities entitled to request them, in cases provided for by law or as a result of the order of a judicial authority.

The full list of designated data processors is available upon request by sending a communication to the e-mail address gdpr@bbs.unibo.it.

 

6. PLACE OF PROCESSING AND DATA TRANSFER TO NON-EU COUNTRIES

BBS carries out the processing of your data in Italy.

Some of the designated Data Processors are based, or process your personal data, also in countries other than Italy both in and outside of Europe and, in this case, the transfer of personal data outside the EU will take place in accordance with the provisions of law and, in particular, personal data will be transferred to third countries in compliance with the conditions set forth in Article 45 et seq. GDPR.

 

7. YOUR RIGHTS. COMPLAINT WITH THE SUPERVISORY AUTHORITY

You may exercise the rights granted to you by law and, in particular, the right to obtain from BBS access to your personal data (Art. 15 GDPR), rectification and/or supplementation (Art. 16 GDPR) and erasure (Art. 17 GDPR) of your personal data, restriction of processing (Art. 18 GDPR), the right to receive notification of rectification, erasure or restriction of processing carried out (Art. 19 GDPR), the right to data portability (Art. 20 GDPR), and the right to object to processing (Art. 21 GDPR). These rights may be subject to certain exceptions and/or limitations (e.g., the right to erasure cannot be exercised for those data with respect to which BBS demonstrates the existence of overriding legitimate grounds for processing, the right to portability applies with respect to processing based on a contract, the right to object applies for processing based on legitimate interest or for reasons of public interest).

Data subjects also have the right to lodge a complaint with the competent Supervisory Authority (Art. 77 GDPR), which in Italy is the Garante per la protezione dei dati personali [Privacy Guarantor] (Piazza Venezia, 11 – 00187 Roma – PEC [registered email]: protocollo@pec.gpdp.it).

 

8. DATA PROTECTION OFFICER

BBS designated its Data Protection Officer, who can be contacted at the following address: dpo@bbs.unibo.it

You may contact the Data Protection Officer for all matters related to the processing of your personal data and the exercise of your rights under the European Regulation No. 679/2016 and the Privacy Code.

 

9. CONTACTS AND DISPUTES

If you have any questions or complaints, regarding this Privacy Notice or BBS’s data processing practices or for requests regarding updating/rectification/erasure of personal data or exercise of your privacy rights you may contact the Data Controller or Data Protection Officer.

For this purpose you may send a communication to the e-mail address gdpr@bbs.unibo.it, from which you will be answered by the person appointed by BBS to provide feedback to the data subject, that is the Privacy coordinator, or to the Data Protection Officer e-mail address dpo@bbs.unibo.it