PRIVACY NOTICE – SUPPLIERS

Notice provided pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR)

1. WHO IS THE DATA CONTROLLER AND HOW CAN YOU CONTACT IT?
The Data Controller is LEGAMI S.P.A. SOCIETÀ BENEFIT, , with its registered office at Via Stezzano, 18 - 24052 - Azzano San Paolo (BG), acting through its pro tempore legal representative. For any information, you may contact the Data Controller by email at privacy@legami.com.

HAS A DATA PROTECTION OFFICER BEEN APPOINTED? WHAT ARE THE CONTACT DETAILS?
LEGAMI S.P.A. SOCIETÀ BENEFIT has appointed a Data Protection Officer (DPO) pursuant to Articles 37, 38 and 39 of the GDPR. The DPO may be contacted at the Data Controller's registered office indicated above or by email at: dpo@legami.com

2. DEFINITIONS
Personal data: any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social identity.

3. PURPOSES OF PROCESSING, LEGAL BASES, RETENTION PERIODS AND NATURE OF DATA PROVISION
A) PROCESSING PURPOSE
Performance of contractual obligations, including administrative and accounting purposes, as well as legal purposes connected with the establishment, performance and termination of the contractual relationship.
LEGAL BASIS
Processing is necessary for the performance of a contract (Recital 44). Art. 6(1)(b) GDPR.
RETENTION PERIOD
10 years. Pursuant to Article 2220 of the Italian Civil Code, without prejudice to any contractual or non-contractual claims that may arise or to any different retention obligations imposed by law.
NATURE OF DATA PROVISION
Provision of personal data is necessary for contractual purposes. Failure to provide the required personal data will make it impossible to establish the contractual relationship with the data subjects concerned.

B) PROCESSING PURPOSE
Management of disputes and other legal matters, including the establishment, exercise or defence of legal claims..
LEGAL BASIS
Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by third parties, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data (Recitals 47-50). Art. 6(1)(f) GDPR.
RETENTION PERIOD
10 years, subject to any objection and without prejudice to any longer period required for the establishment, exercise or defence of legal claims.
NATURE OF DATA PROVISION
Provision of the data is necessary. Failure to provide such data will prevent the pursuit of the Data Controller’s legitimate interest referred to in this section. Any refusal will be assessed in light of the Data Controller’s legitimate interest referred to in this section.

C) PROCESSING PURPOSE
Handling requests relating to personal data protection and requests submitted by data subjects pursuant to Articles 15 et seq. of the GDPR (exercise of data subject rights).
LEGAL BASIS
Processing is necessary for compliance with a legal obligation to which the Data Controller is subject (Recital 45). Art. 6(1)(c) GDPR.
RETENTION PERIOD
5 years from the closure of the request, without prejudice to any disputes.
NATURE OF DATA PROVISION
Provision of personal data is mandatory, as it is necessary for compliance with legal obligations.

E) PROCESSING PURPOSE
Supplier evaluation based on personal data, company presentations or CVs, job profiles, certifications and references, where provided.
LEGAL BASIS
Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by third parties, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject requiring protection of personal data, taking into account the data subject’s reasonable expectations. (Art. 6(1)(f) and Recital 47 GDPR).
RETENTION PERIOD
Up to 3 years, subject to any objection.
NATURE OF DATA PROVISION
Provision of the data is necessary. Failure to provide such data will prevent the pursuit of the Data Controller’s legitimate interest referred to in this section. Any refusal will be assessed in light of the Data Controller’s legitimate interest referred to in this section.

4. TO WHOM MAY PERSONAL DATA BE DISCLOSED? DATA RECIPIENTS
Personal data will not be made public. Personal data may be disclosed to entities acting as independent data controllers or as data processors pursuant to Art. 28 GDPR, and may be processed by natural persons acting under the authority of the Data Controller or the data processors pursuant to Art. 29 GDPR, on the basis of specific instructions concerning the purposes and methods of processing. Personal data may be disclosed to recipients belonging to the following categories:
- entities based in Italy that manage, support or assist, even on an occasional basis, the Data Controller in the administration of its IT systems and telecommunications networks (including email, websites and/or web platforms);
- entities based in Italy that, under applicable accounting and tax legislation, are recipients of mandatory communications;
- banks and equivalent financial institutions based in Italy;
- entities based in Italy with which the Data Controller has entered into commercial agreements;
- firms or companies based in Italy engaged for tax assistance and consultancy, and for administrative/accounting management;
- certification bodies and companies based in Italy;
- clients based in Italy, in EEA Countries or in non-EEA Countries;
- competent authorities, where required for compliance with legal obligations and/or provisions issued by public bodies, upon request.

5. MAY PERSONAL DATA BE TRANSFERRED TO A NON-EEA COUNTRY?
Personal data will not be transferred to countries outside the EEA. In particular, the data will be stored in Italy and the recipients of the data are based in Italy. Should personal data be transferred to countries outside the European Economic Area, such transfer will take place in compliance with the safeguards provided for under applicable law, so as to ensure an adequate level of protection for data subjects.
To obtain information on the safeguards applicable to transfers of data outside the EEA, data subjects may write to privacy@legami.com

6. IS ANY PROCESSING CARRIED OUT BY AUTOMATED MEANS?
Personal data may be processed by manual, electronic and automated means. No decisions are taken solely by automated means.

7. DATA SUBJECT RIGHTS
Data subjects may exercise the rights provided for in Articles 15 et seq. of the GDPR by contacting the DPO at dpo@legami.com, by contacting the Data Controller at privacy@legami.com, or by writing to the contact details indicated above. The Data Controller ensures that data subjects may, at any time, request access to their personal data (Art. 15), rectification (Art. 16), erasure (Art. 17) and restriction of processing (Art. 18). Pursuant to Art. 19, the Data Controller shall communicate any rectification, erasure or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall also inform data subjects of those recipients if requested to do so. The Data Controller also guarantees the right to data portability (Art. 20) and, where a request is made pursuant to Art. 20, will provide the data subject with the personal data in a structured, commonly used and machine-readable format. Data subjects have the right to object at any time, pursuant to Art. 21, to processing based on legitimate interest by writing to the contact details indicated above and stating “objection” in the subject line. Where the right to object to processing based on legitimate interest is exercised, the Data Controller acknowledges the data subject’s right to obtain, upon request, information regarding the balancing test carried out. If data subjects believe that the processing of their personal data by the Data Controller infringes Regulation (EU) 2016/679, they may lodge a complaint with the competent supervisory authority, in particular in the Member State of their habitual residence or place of work, or in the place where the alleged infringement occurred (Italian Data Protection Authority: https://www.garanteprivacy.it/), or they may bring proceedings before the competent courts.

8. AMENDMENTS TO THIS NOTICE
The Data Controller reserves the right to amend, update, add to or remove any part of this Privacy Notice. To facilitate verification of any amendments, this notice will indicate the date on which it was last updated.

Last Update: 21 May 2026