pursuant to and for the purposes of Art. 13 of EU Regulation 2016/679
(existing and potential customers/suppliers)


  1. Identification details of the Data Controller

Personal data is used by the company Gadda Industrie srl, with headquarters at Via Adriano Olivetti n. 13,10010 Colleretto Giacosa (TO), VAT no 08658420016, in the person of its legal representative pro-tempore, as Data Controller, in compliance with the personal data protection principles established by EU Regulation 2016/679 (the GDPR).

  1. Processing purpose

Data is processed for the management of customers and suppliers (existing and potential) for the following purposes:
1. to conclude contracts for the services/products of the Data Controller or supplier, fulfil pre-contractual and contractual obligations deriving from existing relationships;
2. fulfil obligations established by law;
3. exercise the rights of the Data Controller, such as to defend itself in a court of law or manage disputes;
4. for planning relative activities.

  1. Legal basis

– For the purposes set out in points 1 and 4: the processing activity is necessary for the execution of a contract of which the data subject is a party, or for the execution of pre-contractual measures adopted at the request of the same (Art. 6(1)(b) of the GDPR).
– For the purpose set out in point 2: the processing activity is necessary to fulfil a legal obligation to which the data controller is subject (Art. 6(1)(c) of the GDPR).
– For the purpose set out in point 3: the processing activity is necessary for the pursuit of the legitimate interest of the Data Controller or of third parties (Art. 6(1)(f) of the GDPR)

  1. Description of the processing activity and categories of data subjects

As a potential customer/supplier and/or customer/supplier of goods and services, your personal data will be processed in compliance with the security measures pursuant to Art. 32 of the GDPR. The management of the contractual relationship with customers and suppliers (mainly legal persons) requires the processing of personal data (identifying information, telephone numbers, emails) relating to the people with whom you come into contact. This information is provided to natural persons who work for customers/suppliers. Given the difficulty in sending it directly to the data subjects, the information is made available to them on the website of the Data Controller. Data subjects in processing activities are natural persons who, employed or by means of another type of relationship with customers/suppliers, are operationally involved in commercial, pre-contractual and contractual communications. This can also include customers/suppliers who are natural persons, consultants, freelancers or sole proprietorships. The processing activity takes place in full compliance with applicable legislation, and guarantees the security, confidentiality and protection of data in its possession and the fundamental rights and freedoms recognised by, and in compliance with, the GDPR.

  1. Types of data collected and their origin

In relation to the activity carried out, the information processed in relations with customers and suppliers primarily refer to legal persons; the various contacts generate processes which may include the processing of personal data. Personal data processed are comprised of contact data, as well as further information of an identifying and economic-financial nature for contractual relationships stipulated with natural persons. The processing of personal data can be performed for all natural persons who, by virtue of contracts or collaborations stipulated or to be stipulated, relate to subjects belonging to the organisation. Personal data processed are identifying data (for example, name, surname, company name, address, telephone, e-mail, bank and payment information).

  1. Recipients and categories of recipients

Personal data processed by the Data Controller are not disclosed. They can be communicated to external subjects who collaborate as Data Processors, subjects who must supply goods or perform services or services on behalf of the Data Controller for the purpose of processing requests, third party technical service providers, postal couriers, hosting providers, IT companies, credit institutes, accountants and lawyers, hardware and software maintenance companies, or to subjects entitled to access them by virtue of the provisions of law, regulations, EU regulations (e.g. Revenue Agency, Tax Police, etc.), and third party accredited certifying bodies. You may ask the Data Controller for an updated list of Data Processing Officers. The obligation to communicate data to Public Authorities upon specific request remains without prejudice.

  1. Transfer abroad

Data are processed at the Data Controller’s operational headquarters and any other place where the parties involved in processing activities are located; the Data Controller does not transfer this personal data to third countries or international organisations. However, it reserves the right to use cloud services; in which case, the service providers will be selected from among those who provide adequate guarantees as required by Art. 46 of the GDPR. For the processing of information and data that will eventually be communicated to these subjects, the equivalent levels of protection adopted for the processing of personal data of its employees will be required. Only data strictly necessary for the pursuit of the intended purposes will be disclosed.

  1. Duration of processing activities

Data collected for the purposes indicated herein will be stored for the entire duration of the contract, and 10 years following its termination. In the event of a legal dispute, the data will be kept for the entire duration of the same, until the terms for appeal have expired.

  1. Method and nature of data provision

Your data is collected and recorded in a lawful and appropriate manner for the purposes indicated above, in compliance with the principles and provisions of Art. 5 of the GDPR. Personal data is processed with manual, IT and telematic tools with logic strictly related to the purposes themselves, in order to guarantee their security and confidentiality. Your consent is not required for data collected and used for needs attributable to the aforementioned purposes. The communication of personal data for the purposes referred to in this policy and their processing are necessary for the conclusion and execution of the contract. Failure or incomplete communication of such data determines the impossibility of following up on the relationship in question.

  1. Rights of the data subject

In compliance with, within the limits of and under the conditions established by legislation on personal data protection regarding the exercise of the rights of data subjects (Arts. 15-21 of the GDPR), with regard to the processing activities covered by this policy, data subjects can exercise certain rights with reference to the data processed by the Data Controller.

Data subjects have the right to:
– Withdraw consent at any time (where required)
– Oppose the processing of their data
– Access their data
– Verification and rectification
– Limit processing activities
– Cancellation or removal of their personal data
– Data portability

Data subjects have the right to lodge a complaint with the personal data protection supervisory authority or take legal action in the event that they believe that the processing of their personal data violates the rules of the GDPR, pursuant to Art. 77 of the GDPR.

How to exercise your rights
To request further information on the processing of your personal data or how to exercise your rights, send an email to Requests will be processed by the Data Controller as quickly as possible.

  1. Automated decisions

With regard to the processing activities indicated above, the Data Controller does not make decisions based on automated processes.

  1. Changes to this privacy policy

The Data Controller reserves the right to make changes to this privacy policy at any time by giving notice via email and/or on the Website.