Customers and suppliers privacy policy

During the negotiation, establishment and management of the contractual relationship with the clients and suppliers (“Relationship”), De Gaspari Osgnach S.r.l. processes personal data of the client and/or of the supplier, or people connected to them. Such data shall be processed in accordance with this Privacy Policy, that is delivered pursuant to art. 13 of the European Regulation 2016/679, as well as the Italian regulation in force.

CONTROLLER DE GASPARI OSGNACH S.R.L., with registered office in 35121 PADOVA, Via Altinate 33, Tax code and VAT number 04192950287 – tel. +39 049 8219002 – email:
CATEGORIES OF PERSONAL DATA PROCESSED Personal data of natural person related to the customer and/or supplier including name and surname, position held, contact information (phone, e-mail, address), and potentially other data necessary or useful for the management, also under a taxation point of view, of the Relationship. Each person with whom the Controller interacts represents to be authorized or anyhow to have the power to lawfully transmit to the Controller the personal data – his/her own and other natural persons connected to the customer and/or supplier – as necessary for the establishment, management and performance of the Relationship
SPECIAL CATEGORIES OF PERSONAL DATA For the negotiation, establishment and management of the Relationship, the Controller does not process special categories of data (i.e. data concerning religious beliefs, trade union membership, sexual preferences and the others listed in art. 9 of the Regulation – or data concerning criminal convictions and offences referred to in art. 10 of the Regulation). Should it be necessary to process this type of personal data, we will request the prior consent of the data subject.
The purpose of the processing is the establishment and management of the Relationship, including all related legal, fiscal and contractual obligations in general. Lawful processing as necessary for the execution of a contract of which the data subject is a party or for the execution of pre-contractual measures adopted at the request of the same – art. 6.1. (b) of the Regulation.
Fulfilment of legal obligations (i.e. processing and filing of accounting documents (e.g. invoices) relating to the Relationship and communications and other fulfilments to which the Controller is subject under national and international regulations relating, for example, to tax, administrative-accounting and anti-money laundering matters. Lawful processing admitted as necessary to fulfill a legal obligation to which the Controller is subject to – art. 6.1 (c) of the Regulation.
Direct marketing activities through the sending of communications or material (e.g., by e-mail, newsletter) compared to products/services similar to those already provided by the Controller to the customer, or in any case news of interest regarding the activities carried out by the Controller (e.g., notice on temporary closures for holidays). Processing admitted, as necessary for the pursuit of a lawful interest of the controller – art. 6.1. (f) of the Regulation. The lawful interest of the Controller is represented by the promotion of its activity through direct marketing – see Recital no. 47 of the Regulation.
MANDATORY DISCLOSURE The provision of personal data is mandatory for the achievement of the purpose of establishing and managing the Relationship.
CONSEQUENCES OF NON-DISCLOSURE Any refusal to provide all or part of the personal data requested by the Controller may make it impossible for the Controller to implement the Relationship or to correctly carry out all the obligations connected to it. Non-disclosure of the data and/or the request not to use them for direct marketing purposes does not hinder the performance of the Relationship.
CATEGORIES OF RECIPIENTS The data may be communicated or in any case made accessible to subjects connected to the Controller by business relationships, companies and/or associations, professionals and consultants for the provision of services ancillary to those covered by the Relationship, or in any case also to third parties who operate, also on behalf of the Controller, for the provision of services related to the purposes indicated in this privacy policy, both intra- EEA and extra- EEA (in the latter case, the data will be transmitted in accordance with Articles 44 et seq. of the Regulation).

By way of example, but not exhaustive, these are:

  1. employees of the Controller;
  2. lawyers, accountants and other consultants of the Controller;
  3. companies providing additional services, such as software houses, web agencies and similar;
  4. companies supplying other products or services related to the performance of the activity covered by the Relationship.

In addition, personal data are communicated to subjects, entities, authorities to whom it is mandatory to communicate the data of the data subjects in accordance with legal provisions and orders of the Authorities.

At the request of the data subject, the Controller will make available the detailed list of third parties to whom the personal data have been transmitted and/or made accessible.

OTHER CONTROLLERS In the event that the consultancy requested by the client is managed jointly with other consultants, when the latter have a direct relationship with the client (including but not limited to the case of conferral of a power of attorney, jointly and/or alone with the Controller and the professionals who report to the same), these consultants are autonomous controllers towards the client in all legal purposes.
PROCESSING METHODS Personal data are stored in the archives of the Controller and are processed using paper and computerized methods, without prejudice to the adoption of appropriate security measures in order to avoid unlawful processing.
RETENTIONS Personal data will be retained, in our system, for the entire duration of the contractual Relationship, and after termination of the same, until any request to the contrary by the interested party in accordance with the following point c).
RIGHTS RECOGNIZED TO THE DATA SUBJECT At any moment, the data subject may exercise towards the Controller, the rights provided for in art. 15 to 22 of the Regulation, i.e. the right to ask for:

  1. access to personal data, or to be informed by the Controller of his/her personal data kept by the Controller, the purposes for which these data are processed, their origin and other information required by art. 15 of the Regulation;
  2. the rectification of personal data in case of inaccuracy of the same;
  3. the cancellation of personal data (so-called ‘right to be forgotten’);
  4. the limitation of the processing of personal data, or the right to obtain the suspension of the processing of personal data for the period necessary to verify the request for revision of personal data, or in other cases provided for by art. 18 of the Regulation;
  5. The right to the portability of data, i.e. the right to receive personal data in a structured format, commonly used and machine-readable format- even by requesting the direct transfer to another owner (with respect to data whose processing is carried out by automated means);
  6. The right to object to the processing data pursuant to art. 6, paragraph 1, letters e) or f) of the Regulation (the right to object).

Requests must be sent in writing to the Controller at the addresses above. The Controller will give an adequate reply as soon as possible and in any case within one month of receiving the request.

COMPLAINTS Each data subject has the right to lodge a complaint pursuant to Articles 77 et seq. of the Regulation to a supervisory authority, which for the Italian State is identified in the Italian Data Protection Authority (Garante per la protezione dei dati personali). The methods of complaint are indicated at this link: