We take the privacy and security of your data very seriously.

Dear Customer/Supplier,

pursuant to the current national legislation on privacy and in compliance with the provisions of the GDPR 2016/679 (General Data Protection Regulation), Elphi VM S.r.l. (hereinafter also referred to as “Elphi”) provides you with the information regarding the processing of your personal data, based on the principles of correctness, lawfulness, transparency and protection of your privacy and your rights.

1. Purposes of processing

Regarding these Data we inform you that:

a) The data is processed in connection with contractual requirements and the consequent fulfillment of legal and contractual obligations arising therefrom (mandatory administrative, accounting, legal and tax compliance) as well as to achieve effective management of business relationships and also for the purpose of credit protection and better management of our rights relating to the individual business relationship.

b) If you are already a customer, Elphi may also use your data to send you advertising emails about products and services offered, similar to what you previously purchased, unless you refuse such use by exercising your right to object in the manner set forth below.

c) In addition, with your consent, your data may also be processed for the purpose of sending newsletters, commercial communications and/or promotional material, or opinion polls, as well as transferred to a third country outside the EU or to an international organization.

2. Access to data

The Data may be made accessible for the purposes set out in art. 1:

– to employees and collaborators of the Data Controller or of the companies of the VINCI SA Group (in Italy and abroad), in their capacity as persons in charge of data processing and/or External Processor;

– to third party companies or other subjects (by way of example, credit institutes, professional studios, consultants, insurance companies for the provision of insurance services, control bodies, companies that may be responsible for the installation, maintenance, updating and, in general, the management of hardware and software etc.) that carry out outsourced activities on behalf of the Data Controller, where appropriate, appointed Data Processors pursuant to Art. 28 GDPR;

– to external parties in fulfilment of legal obligations.

The updated list of any External Data Processors is available by contacting the Controller.

3. Transfer of data to a third country and/or international organisation

We may need to transfer your Data to other group companies or service providers in countries outside the European Economic Area (EEA), consisting of the countries of the European Union and Switzerland, Liechtenstein, Norway and Iceland, which are considered countries with equivalent data protection and privacy laws. In this case we will ensure that your data is properly and adequately protected.

If the country does not have equivalent data protection and privacy laws, we will require the third party to enter into a contract according to EEA standards.

4. Method of processing and Retention period

In relation to the above-mentioned purposes, the processing of personal data will mainly be carried out with the aid of electronic, computerized or otherwise automated means and to a lesser extent by manual means. The data provided will be processed in accordance with the provisions of current national legislation and GDPR 2016/679, using appropriate methods and tools to ensure the security and confidentiality of the data. In particular, all technical, IT, organizational, logistical and procedural security measures will be adopted, so that the minimum level of data protection required by law is guaranteed, allowing access only to the persons in charge of processing by the Data Controller or the Managers appointed by the Data Controller.

Data referring to customers and suppliers will be kept for the time strictly necessary to fulfil the above-mentioned purposes, and in any case no longer than ten years. Once this retention period has expired, the data will be destroyed or anonymized.

5. Nature of Provision and legal basis

The conferment of the Data is compulsory for all that is required by legal and contractual obligations, and therefore any refusal to provide them or to their subsequent processing may make it impossible for the writer to continue the contractual relationship.

On the other hand, the failure to provide all the data that are not related to legal or contractual obligations will be evaluated from time to time by the writer and will determine the consequent decisions related to the importance of the data requested with respect to the management of the business relationship.

The legal basis of the Processing is the fulfillment of contractual or legal obligations related to the proper management of the relationship, for the purpose mentioned in point 1 letter a); legitimate interest for the purpose mentioned in point 1 letter b); consent for the purpose mentioned in point 1 letter c).

6. Categories of data processed

The types of data processed are:

– First name, surname

– Company name

– Tax code/VAT number

– E-mail address

– Telephone/fax/mobile phone

– Bank account details (e.g. IBAN)

7. Exercise of rights under Articles 13-25 GDPR

Data subjects have the right at any time to request from the Data Controller access to their data, rectification or cancellation, limitation of processing or the possibility to object to processing, to request data portability and enforcing these and other rights provided by the GDPR by communication to the Data Controller. The Data Subject also has the right to revoke consent at any time without affecting the lawfulness of the processing based on the consent given before revocation. Withholding consent may cause the Data Controller to be unable to provide certain services.

Requests/communications should be addressed to the Data Controller by post, or by telephone on 02.35949851 or by email to privacyvei@vinci-energies.com.

A Data Subject who believes that the processing is in breach of the GDPR (Reg. EU2016/679) has the right to complain to a supervisory authority (Garante della Privacy).

8. Data Controller

Data Controller is Elphi VM S.r.l. Via Gallarate 205 – Milano – tel. 02.35949851 e-mail: privacyvei@vinci-energies.com