INTRODUCTION

The following General Privacy Notice to Suppliers is intended as referring only to the processing of personal data managed by Gulliver Srl, in its capacity as Data Controller, for the purpose of executing contracts with Suppliers, as well as for commercial development and marketing purposes. With reference to any processing of personal data conducted by Suppliers on behalf of Gulliver Srl, in its capacity as Data Processor, please refer to the provisions of the contracts between the Data Controller and the Data Processor signed by the parties. GENERAL INFORMATION SUPPLIERS - ON THE PROCESSING OF PERSONAL DATA PURSUANT TO ART. 13 AND 14 OF REGULATION (EU) 2016/679 (‘GDPR’)

1. Owner and responsible for treatment

The Data Controller is GULLIVER S.R.L, with registered office in Via Orzinuovi 73, 25125 Brescia, Tax Code and Partita. VAT 03559600170; Gulliver srl has appointed its own Data Protection Officer (DPO) who can be contacted for any request at the e-mail address dpo@gullivernet.com.

The updated list of Data Protection Officers is kept at the registered office of the Data Controller.

2. Purpose of the Processing - categories of personal data processed

The Data Controller processes personal data relating to you or your assignees, to be understood as common identification data for business contacts (such as, for example, name, surname, address, telephone number, e-mail, or, for suppliers who are physical persons, also bank details, company name, etc.), communicated by you in connection with the definition and/or conclusion of contracts as Suppliers or, again, during the course of the contractual relationship. The Supplier receiving this information undertakes to give it to any of its employees whose data are processed by the Controller.

The Data Controller may also process your personal data or those of your appointees, to be understood as common business contact identification data (e.g. name, surname, address, telephone number, e-mail), acquired from third-party Data Controllers (e.g. trade fair organisations) who have acquired their legitimate consent to the transfer for business contact purposes.

3. Purposes and legal bases of the processing

3.1 Contractual and pre-contractual purposes:

Basi giuridiche:

3.1.1 the processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request,

3.1.2 processing is necessary for the performance of obligations required by law, regulation, Community legislation or an order issued by the Authority

3.1.3 the processing is necessary for the exercise of the legitimate interest of defence in legal proceedings of the Controller.

3.2  Commercial Development and Marketing Purposes: to send you (by e-mail) commercial or marketing communications relating to the Controller's products or services

Legal basis:

3.2.1 your explicit and specific consent.

4. Processing methods and duration

The processing of your personal data may be carried out by means of the operations indicated in art. 4 n. 2) GDPR and precisely: collection, registration, organisation, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, cancellation and destruction of data. Your personal data may be subject to both paper and electronic processing.

The Data Controller will process your personal data for the time necessary to fulfil the above-mentioned contractual purposes and in any case for no longer than 10 years from the termination of the contractual relationship. For marketing purposes, the Controller will process your personal data for the time strictly necessary to fulfil the purposes for which it was collected, for the period provided for by law or within the scope of official provisions. If you wish to revoke your consent or expressly decide to unsubscribe from our marketing mailing list, your data will be promptly deactivated from our marketing databases so that you do not receive any further communications. In any case, personal data contained in previous communications will be retained for a period of no longer than 24 months after they have been recorded, without prejudice to the transformation of such data into anonymous data.

5. Accesso to data

Your data may be made accessible for the purposes set out in Article 3 above

to employees and collaborators of the Data Controller in their capacity as data processors and/or system administrators;

to third party companies or other entities (by way of example, professional firms, consultants, insurance companies, credit institutions, etc.) that carry out activities on behalf of the Data Controller, in their capacity as autonomous Data Controllers or External Data Processors appointed by the Data Controller.

6. Data communication

Pursuant to Art. 6 letters b) and c) GDPR, therefore without the need for express consent, the Data Controller may communicate your data for the purposes arising from the contractual relationship to judicial authorities as well as to those subjects to whom the communication is compulsory by law for the fulfilment of the aforementioned purposes. These subjects will process the data in their capacity as autonomous data controllers.

Your data will not be subject to dissemination.

7. Transfer of data

Personal data may be transferred, for the purposes set out in this information notice as well as for filing and storage needs, both to European Union countries and to countries outside the European Union.

In any case, the Data Controller guarantees as of now that the transfer of data outside the EU will take place in compliance with the applicable legal provisions.

8. Nature of conferment

The provision of data for the contractual purposes set out in Article 3.1 is mandatory. In their absence, we will not be able to guarantee the performance of the contractual relationship.

On the other hand, the provision of data for marketing purposes as per Art. 3.2 is optional; you may therefore decide not to provide any data or to subsequently deny the possibility of processing data already provided and any consent given, in which case, you will not be able to receive the aforesaid commercial communications and advertising material relating to the products or services offered by the Controller.

9. Rights of the data subject

By contacting the Data Controller by e-mail at privacy@gullivernet.com, any interested party may exercise their rights under Art. 15 GDPR, namely

obtain confirmation of the existence or otherwise of personal data concerning him/her, even if not yet registered, and its communication in intelligible form;

obtain an indication of: a) the origin of the personal data; b) the purposes and methods of processing; c) the logic applied in the event of processing carried out with the aid of electronic instruments; d) the identification details of the Data Controller, the Data Processors and the representative designated pursuant to Art. 3, paragraph 1 of the GDPR; e) the subjects or categories of subjects to whom the personal data may be communicated or who may become aware of it in their capacity as designated representative in the territory of the State, data processors or persons in charge of processing

obtain: a) the updating, rectification or, where interested therein, integration of the data; b) the cancellation, transformation into anonymous form or blocking of data processed in breach of the law, including data whose retention is not necessary for the purposes for which the data were collected or subsequently processed c) certification to the effect that the operations as per letters a) and b) have been notified, as also related to their contents, to the entities to whom or which the data were communicated or disseminated, unless this requirement proves impossible or involves a manifestly disproportionate effort compared with the right that is to be protected;

object, in whole or in part: a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection; b) to the processing of personal data concerning him/her, where it is carried out for the purpose of sending advertising materials or direct selling or else for the performance of market or commercial communication surveys, by automated calling systems without human intervention, by e-mail and/or by traditional marketing methods, by telephone and/or by post. It should be noted that the data subject's right to object, as set out in point b) above, for direct marketing purposes by automated means extends to traditional marketing methods and that, in any case, the data subject's right to object may also be exercised in part. Therefore, the data subject may decide to receive only communications by traditional means or only automated communications or neither type of communication.

Where applicable, the data subject will also have the rights set out in Articles 16-21 GDPR (right to rectification, right to be forgotten, right to restriction of processing, right to data portability, right to object), as well as the right to complain to the Data Protection Authority.

Finally, where the conditions exist, the data subject will have the right to compensation for any damage suffered as provided for in Article 82 of the GDPR.

Ref. GUL_INFO05 of 16/02/2021