SAPwC | Privacy Notice Suppliers

SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l. ((hereinafter, “SAPwC” or "Controller"), having its head office in Milan, Piazza Tre Torri, n. 2 in person of its pro tempore legal representative, a company supplying administrative, accounting and organisational services in favour of the Italian entities belonging to PwC Network¹, with whom it has executed a joint control agreement pursuant to Section 26, GDPR the essential content of which is available on demand at the Controller's premises, are glad to provide you, pursuant to Sections 13, GDPR², with all of the following information (hereinafter, the “Information Notice”).

Identity and Contact details of the Controller

SERVIZI AZIENDALI PRICEWATERHOUSECOOPERS S.r.l.
Piazza Tre Torri, n. 2 - 20145 Milan
Tax code / VAT no.: 12449670152
Tel. (02) 77851

 
Contact details of the Data Protection Officer

Office of the Data Protection Officer (“DPO”)
Piazza Tre Torri, n. 2 - 20145 Milan
Certified email address PEC dpo-sap@pec-pwc.it
Tel. (02) 66734162
Fax (02) 66734163

Purposes of the processing for which the personal data are intended and related legal basis

Your personal data will be processed without your consent (section 6, items b, c, f, GDPR), for the following purpses:

• performance of pre-contractual and contractual obligations deriving from the execution of a supply contract,
• compliance with legal obligations, as provided for by a law (national or EU) or perform an order of any authority, as well of any other entity to which the Controller is subject,
• exercise the rights of the Controller, with particular reference to judicial defensive rights.

For the purposes mentioned above, the collection of your personal data is necessary. In lack of the data or in case of any express refusal of consent to process such data may cause the impossibility to the Controller to perform the contractual obligations or the possible violation of the competent Authorities requests.

Processed Categories of Personal Data

Pursuant to art. 4, n. 1, GDPR the "personal data" that will be processed by the Data Controller for the purposes of the aforementioned treatments, have as their subject, name and surname, tax code, VAT number, residence, domicile, registered office workplace, e-mail or PEC address, telephone and fax number, and, where appropriate, bank, financial and insurance data ("Data").

You will refrain from sending the Data to the Data Controller, which is not strictly necessary for the performance of contractual and / or commercial activities. Otherwise, the Data must be transmitted to the Data Controller anonymously or pseudonymised, in accordance with the principle of minimization provided for in article 5, paragraph 1, GDPR.

In the event that, in carrying out the contractual relationship, you communicate to the Data Controller (in a non-anonymous or pseudonymised way) Data of other parties, declares and guarantees to treat legitimately and in compliance with the GDPR all the aforementioned personal data, also declaring having already provided the interested parties with adequate information, expressing the possibility of providing personal data to third-party companies and having obtained any necessary consents for the purpose.

Categories of Personal Data Recipients

The personal data you will submit us for the purposes mentioned under par. (c) above, could be transferred to:

1. Employees and collaborators of the Controller, in their capacity of persons duly authorised to data processing,
2. Any third party subject, performing outsourced activities on behalf of the Controller, in their capacity of data processors,
3. Any judicial or controlling Authority, public entities (whether national or foreign ones);
4. Any other entities belonging to the national and international PwC Network to which the Controller is part thereof.

Storage and Transfer of Personal Data to Third Countries

Personal data are processed and stored “on cloud” and on servers located within and outside EU, belonging to or in the possession of the Controller and/or third party processors, as duly appointed.

The transfer to non EU-countries is performed in compliance with the provisions under par. V, GDPR (sec. 46), adopting standard contractual clauses drafted pursuant to versions no. 2004/915/EC and n. 2010/87/EU, as adopted by the European Commission.

Your personal data will not be subject to dissemination.

Personal Data Storage Period

Personal Data provided for the purposes indicated under par. (c), above are processed and stored for the entire duration of the supply contract.

As of the termination of such contractual relationship, for whichever reason or cause, personal data will be stored as long as time-barring legal terms will be elapsed.

Exercisable Rights

In compliance with the provisions under Chapter III, Section I, GDPR, you may exercise the rights therein indicated and in particular: 

Right of Access – Obtain confirmation whether your data is processed or not and, in such a case, obtain information related, in particular, to: the purposes of such processing, the categories of the processed personal data, the storage period, the recipients to whom such data can be transferred (Section 15, GDPR);

Right of Rectification – Obtain, without undue delay, the rectification of inaccurate personal data and to have incomplete personal data completed (Section 16, GDPR);

Right of Erasure – Obtain, without undue delay, the erasure of your personal data, in the cases provided for by the GPDR (Section 17, GDPR);

Right to Restriction – Obtain from the Joint Controllers the limitation to processing, in the cases provided for by the GDPR (Section 18, GDPR);

Right to Data Portability – Receive your personal data as communicated to the Joint Controllers in a structured, commonly used and machine-readable format and obtain the transmission of such data to another controller without any hindrance, in the cases provided for by the GDPR (Section 20, GDPR);

Right to object – Object to the processing of your personal data, unless the Joint Controllers have compelling legitimate grounds for the continuation of the processing (Section 21, GDPR);

Right to Lodge a Complaint with the Supervisory Authority – Lodge a complaint to Autorità Garante per la protezione dei dati personali, Piazza Venezia n.11, 00187, Roma (RM).

You may exercise such rights by means of a request to be sent by email to the Data Privacy Officer certified email address above indicated.

Processing Operations

Your personal data is processed through the operations indicated in section 4, n. 2), GDPR  - whether or not performed by automated means – such as: collection, recording, organisation, structuring, update, storage, adaptation or alteration, retrieval and analysis, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction.

Whichever the way, it will guarantee their security, logical and physical, and overall their confidentiality, adopting all necessary technical and organisational measures appropriate to guarantee the data security.

The Data Controller undertakes, from now on, to keep the data and information received for the purpose of the contract confidential and to adopt appropriate measures to ensure adequate protection of the same, ensuring the necessary confidentiality and confidentiality regarding their content .

The confidentiality obligations mentioned above will also take effect after the date on which the contract ceases to have effect.

In accordance with the provisions of Article 32, GDPR, taking into account the nature, object, context and purpose of the processing, the Controller and the Supplier mutually claim to have implemented appropriate technical and organizational measures, including with reference the particular categories of Data referred to in articles 9 and 10, GDPR, to guarantee a level of security appropriate to risk, which include, by way of example and not exhaustively:

(i) pseudonymisation and encryption of data;

(ii) the ability to ensure on a permanent basis the confidentiality, integrity, availability and resilience of the processing systems and services;

(iii) the ability to promptly restore data availability and access in the event of a physical or technical incident;

(iv) a procedure for testing, verifying and regularly assessing the effectiveness of technical and organizational measures in order to guarantee the security of the treatment.

The Controller and the Supplier will be responsible for the protection of their IT system.

Footnotes:

[1] Further information on PwC Network and its single entities may be found on www.pwc.com.

[2]  European Regulation 2016/679 of the EU Parliament and of the Counsil dated April 27, 2016, concerning the protection of  natural persons with regard to the processing of personal data (“GDPR”).